Merge pull request #594 from OpenTechFund/feature/572-use-pwnedpasswords-check

Make use of pwnedpasswords check and set min length to 12.

opentech/apply/templates/forms/includes/field.html

@@ -31,7 +31,7 @@
 
         {{ field }}
 
-        {% if field.errors %}<h6 class="form__error-text">{{ field.errors.as_text }}</h6>{% endif %}
+        {% if field.errors %}<h6 class="form__error-text">{{ field.errors.as_text|linebreaksbr }}</h6>{% endif %}
         <label for="{{ field.id_for_label }}"></label>
         {% if widget_type == 'date_input' or widget_type == 'date_time_input' %}
             </div>

opentech/settings/base.py

@@ -114,6 +114,7 @@ INSTALLED_APPS = [
     'addressfield',
     'django_bleach',
     'django_fsm',
+    'django_pwned_passwords',
 
     'hijack',
     'compat',
@@ -228,17 +229,17 @@ WAGTAILSEARCH_BACKENDS = {
 # https://docs.djangoproject.com/en/stable/ref/settings/#auth-password-validators
 
 AUTH_PASSWORD_VALIDATORS = [
-    {
-        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
-    },
     {
         'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+        'OPTIONS': {
+            'min_length': 12,
+        }
     },
     {
-        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
     },
     {
-        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+        'NAME': 'django_pwned_passwords.password_validation.PWNEDPasswordValidator',
     },
 ]
 

requirements.txt

@@ -31,6 +31,7 @@ django_select2==6.0.1
 dj-database-url==0.5.0
 django-basic-auth-ip-whitelist==0.2.1
 django-heroku==0.3.1
+django-pwned-passwords==2.0.0
 django-redis==4.9.0
 django-referrer-policy==1.0
 whitenoise==4.0