Make use of pwnedpasswords check and set min length to 12.

ad2ae5b4 · Fredrik Jonsson · 826c9527 · ad2ae5b4 · ad2ae5b4
Commit ad2ae5b4 authored 6 years ago by Fredrik Jonsson
--- a/opentech/settings/base.py
+++ b/opentech/settings/base.py
@@ -128,6 +128,7 @@ INSTALLED_APPS = [
    'django.contrib.staticfiles',
    'django.contrib.sitemaps',
    'django.forms',
+    'django_pwnedpasswords_validator',
 ]

 MIDDLEWARE = [
@@ -228,17 +229,17 @@ WAGTAILSEARCH_BACKENDS = {
 # https://docs.djangoproject.com/en/stable/ref/settings/#auth-password-validators

 AUTH_PASSWORD_VALIDATORS = [
-    {
-        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
-    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+        'OPTIONS': {
+            'min_length': 12,
+        }
    },
    {
-        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
-        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+        'NAME': 'django_pwnedpasswords_validator.validation.PwnedPasswordValidator',
    },
 ]


--- a/requirements.txt
+++ b/requirements.txt
@@ -31,6 +31,7 @@ django_select2==6.0.1
 dj-database-url==0.5.0
 django-basic-auth-ip-whitelist==0.2.1
 django-heroku==0.3.1
+django-pwnedpasswords-validator==1.0.1
 django-redis==4.9.0
 django-referrer-policy==1.0
 whitenoise==4.0