Warning
Back-end and Front-end password validation with ZXCVBN.
A combination of pirandig’s django-zxcvbn and aj-may’s django-password-strength Django apps. It combines back-end and front-end validation with strength meter display.
Software licensed under ISC license.
pip install django-zxcvbn-password
The JavaScript code of this application uses JQuery, but JQuery is not bundled with it. Please install it separately. You might also want to use Bootstrap.
# settings.py
INSTALLED_APPS = [
...
'zxcvbn_password',
...
]
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
{
'NAME': 'zxcvbn_password.ZXCVBNValidator',
'OPTIONS': {
'min_score': 3,
'user_attributes': ('username', 'email', 'first_name', 'last_name')
}
}
]
# forms.py
from django import forms
from zxcvbn_password.fields import PasswordField, PasswordConfirmationField
class RegisterForm(forms.Form):
password1 = PasswordField()
password2 = PasswordConfirmationField(confirm_with=’password1’)
# views.py
if form.is_valid():
user = User.objects.create_user(
username=...,
password=form.cleaned_data['password1']
)
By default, other inputs won't be used to compute the score, but you can enforce it like this:
# forms.py
from django import forms
from zxcvbn_password import zxcvbn
from zxcvbn_password.fields import PasswordField, PasswordConfirmationField
class RegisterForm(forms.Form):
password1 = PasswordField()
password2 = PasswordConfirmationField(confirm_with=’password1’)
def clean(self):
password = self.cleaned_data.get('password1')
other_field1 = ...
other_field2 = ...
if password:
score = zxcvbn(password, [other_field1, other_field2])['score']
# score is between 0 and 4
# raise forms.ValidationError if needed
return self.cleaned_data
zxcvbn-python provides a feature to add custom frequency lists, you can specify your own custom frequency lists in the validator by adding frequency_lists to AUTH_PASSWORD_VALIDATORS, where dutch_words is a list of strings:
# settings.py
AUTH_PASSWORD_VALIDATORS = [
...
{
'NAME': 'zxcvbn_password.ZXCVBNValidator',
'OPTIONS': {
'frequency_lists': {
'dutch': dutch_words,
}
}
}
]
Important
The password field's widget declares two JavaScript files that must be added to the HTML page.
To do so, add {{ form.media }}
in your template, something like:
<form role="form" action="my_url" method="post">
{% csrf_token %}
{{ form }}
</form>
{% block js %}
{{ block.super }}
{{ form.media }}
{% endblock %}
Note
If you are not using Bootstrap, the strength bar will not have colors. You can fix this with these three CSS rules:
.progress-bar-warning {
background-color: yellow;
}
.progress-bar-danger {
background-color: red;
}
.progress-bar-success {
background-color: green;
}
To run all the tests: tox
You should check out django-zxcvbn-password-validator for backend validation only, but with a good UX and translated messages.