[Django] #30100: Add a Validator that uses Troy Hunts Have I been pwned Database to validate passwords.

[Django]

#30100: Add a Validator that uses Troy Hunts Have I been pwned Database to validate
passwords.
----------------------------------------+------------------------
Reporter: Logan | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: 2.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+------------------------
Add an optional validator that would use the Hash
API(https://haveibeenpwned.com/API/v2#PwnedPasswords) in Troy Hunt's
Database of pwned passwords. To increase the unique password requirements.

I have created an example validator that could be improved upon if
interested (remove dependency of requests),
https://gist.github.com/loganstartoni/213e1043314affb56eafc02885494f40.

I think this feature could increase awareness of the database as well as
alerting users to the vulnerability of the common passwords that they are
reusing.

The Validator as written makes an API call to the haveibeenpwned api and
checks the returned hashes against the user inputted password. If the
password is pwned it then alerts the user to how many times the password
has be pwned.

--
Ticket URL: <https://code.djangoproject.com/ticket/30100>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#30100: Add a Validator that uses Troy Hunts Have I been pwned Database to validate
passwords.

------------------------------+--------------------------------------
Reporter: Logan | Owner: nobody
Type: New feature | Status: closed
Component: contrib.auth | Version: 2.2
Severity: Normal | Resolution: wontfix

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+--------------------------------------
Changes (by Tim Graham):

* status: new => closed
* resolution: => wontfix

Comment:

I think that's a good candidate for a third-party package. If it matures
and gets widespread adoption, we could consider including it in
`contrib.auth`, however, I think that most projects won't want a network
dependency for validating passwords. In that case, please make your
proposal on the DevelopersMailingList as it reaches a wider audience than
this ticket tracker.

--
Ticket URL: <https://code.djangoproject.com/ticket/30100#comment:1>

[Django]

#30100: Add a Validator that uses Troy Hunts Have I been pwned Database to validate
passwords.

------------------------------+--------------------------------------
Reporter: Logan | Owner: nobody
Type: New feature | Status: closed
Component: contrib.auth | Version: 2.2
Severity: Normal | Resolution: wontfix

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

------------------------------+--------------------------------------

Comment (by Adam (Chainz) Johnson):

This is available in the pwned-passwords-django package by James Bennett:
https://pypi.org/project/pwned-passwords-django/ :)

--
Ticket URL: <https://code.djangoproject.com/ticket/30100#comment:2>