{"id":24280,"library":"pwned-passwords-django","title":"Pwned Passwords Django","description":"A Django library to check passwords against the Have I Been Pwned Pwned Passwords database, either via k-Anonymity API or a local download of the hashed passwords. Version 5.2.0 requires Python >=3.9, compatible with Django 3.2+. It integrates seamlessly with Django's password validation framework and provides both online and offline modes.","status":"active","version":"5.2.0","language":"python","source_language":"en","source_url":"https://github.com/pawelad/pwned-passwords-django","tags":["django","security","passwords","pwned","hibp","validator"],"install":[{"cmd":"pip install pwned-passwords-django","lang":"bash","label":"Install from PyPI"}],"dependencies":[{"reason":"Core dependency; the library is a Django app.","package":"Django","optional":false},{"reason":"Used for k-Anonymity API calls when online mode is enabled.","package":"requests","optional":false}],"imports":[{"note":"The validator is used in Django's AUTH_PASSWORD_VALIDATORS setting.","symbol":"pwned_password_validator","correct":"from pwned_passwords_django.validators import pwned_password_validator"},{"note":"validate_password is not a top-level export; use the validator class.","wrong":"from pwned_passwords_django import validate_password","symbol":"validate_password","correct":"from pwned_passwords_django.validators import pwned_password_validator"}],"quickstart":{"code":"# Add to INSTALLED_APPS:\nINSTALLED_APPS = [\n    ...\n    'pwned_passwords_django',\n]\n\n# Add to AUTH_PASSWORD_VALIDATORS:\nAUTH_PASSWORD_VALIDATORS = [\n    ...\n    {\n        'NAME': 'pwned_passwords_django.validators.pwned_password_validator',\n    },\n]\n\n# Optional: configure settings in settings.py\nPWNED_PASSWORDS = {\n    'API_ENABLED': True,  # or False to use local database\n}","lang":"python","description":"Basic setup: add app to INSTALLED_APPS, add the validator, and optionally configure API vs local mode."},"warnings":[{"fix":"Use set_password() or User.objects.create_user() to ensure validation runs.","message":"The validator only works when the password is set via Django's set_password() which triggers validation. Direct assignment to the password field bypasses validation.","severity":"gotcha","affected_versions":"all"},{"fix":"Set PWNED_PASSWORDS['API_ENABLED'] = False and use a local database download for offline mode.","message":"If API_ENABLED is True (default), the validator makes an external API call to HIBP. This can cause performance issues in bulk operations or deny the service if misconfigured.","severity":"gotcha","affected_versions":"all"},{"fix":"Use the new package name: pip install pwned-passwords-django. Old import 'from pwned_passwords import ...' no longer works.","message":"In version 4.0.0, the package renamed from 'django-pwned-passwords' to 'pwned-passwords-django'. Import paths changed accordingly.","severity":"breaking","affected_versions":">=4.0.0"}],"env_vars":null,"last_verified":"2026-05-01T00:00:00.000Z","next_check":"2026-07-30T00:00:00.000Z","problems":[{"fix":"pip install pwned-passwords-django and use 'from pwned_passwords_django import ...'","cause":"The package was renamed from django-pwned-passwords to pwned-passwords-django. The old module name is no longer available.","error":"ModuleNotFoundError: No module named 'pwned_passwords'"},{"fix":"Use 'NAME': 'pwned_passwords_django.validators.pwned_password_validator' in the validator dictionary.","cause":"The validator is not added correctly to AUTH_PASSWORD_VALIDATORS. Common mistake: missing the full dotted path.","error":"pwned_password_validator is not a valid validator"},{"fix":"from pwned_passwords_django.validators import pwned_password_validator","cause":"The module does not export validate_password directly; it's inside validators module.","error":"AttributeError: module 'pwned_passwords_django' has no attribute 'validate_password'"}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}