#30100 closed New feature (wontfix)
Add a Validator that uses Troy Hunts Have I been pwned Database to validate passwords.
| Reported by: | Logan | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 2.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Add an optional validator that would use the Hash API(https://haveibeenpwned.com/API/v2#PwnedPasswords) in Troy Hunt's Database of pwned passwords. To increase the unique password requirements.
I have created an example validator that could be improved upon if interested (remove dependency of requests), https://gist.github.com/loganstartoni/213e1043314affb56eafc02885494f40.
I think this feature could increase awareness of the database as well as alerting users to the vulnerability of the common passwords that they are reusing.
The Validator as written makes an API call to the haveibeenpwned api and checks the returned hashes against the user inputted password. If the password is pwned it then alerts the user to how many times the password has be pwned.
Change History (2)
comment:1 by , 5 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:2 by , 5 years ago
This is available in the pwned-passwords-django package by James Bennett: https://pypi.org/project/pwned-passwords-django/ :)
I think that's a good candidate for a third-party package. If it matures and gets widespread adoption, we could consider including it in
contrib.auth, however, I think that most projects won't want a network dependency for validating passwords. In that case, please make your proposal on the DevelopersMailingList as it reaches a wider audience than this ticket tracker.