PCI-compliant authentication application for Django 1.4+. Uses "best of" existing libraries then fills in the gaps.
Project description
Django 1.4+ only
This application integrates the current Django “best of” PCI auth libraries into a single application, then fills in the gaps. Filling gaps may involve making additional decisions for you, as suggested by Django Documentation e.g.:
https://docs.djangoproject.com/en/1.4/topics/auth/#using-bcrypt-with-django
https://docs.djangoproject.com/en/1.4/topics/auth/#increasing-the-work-factor
https://docs.djangoproject.com/en/1.4/topics/http/sessions/#session-cookie-age
Or in some cases, additional functionality may be provided by this package e.g.:
XXX Add example
Features
XXX Done
Stronger password hashing that allows for selection of hashing algorithm scrypt, bcrypt, PBKDF2, etc. via settings.py. [1]
Checking for strong passwords with a default length setting overrideable in settings.py. [2]
Integrate strong passwords into Django Admin.
Lock out account for n minutes after x failed log-in attempts. [3]
Set inactivity timeouts.
XXX Not done
Set flags disallowing certain accounts to be locked out.
Generate event/email when lock-out occurs.
Log every log-on and explicit log-out (not necessary timed out log-ins).
XXX I assume these need to persist beyond a restart
Track last four passwords and do not allow re-use.
XXX I assume these need to persist beyond a restart
Provide JavaScript to check for strong passwords inline.
XXX I assume the javascript code should check the Django settings via AJAX re: password length min/max, etc.
Force password reset after X amount of time.
XXX I assume these need to persist beyond a restart
Background
PCI is complex. Here is a bit of background on the subject. Inasmuch as it’s possible to summarize here.
Levels
XXX Do we need to worry about levels?
PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)
PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
Via: http://www.elementps.com/merchants/pci-dss/compliance-level/
Libraries
A list of libraries included:
Articles
A list of relevant articles:
Settings
Stronger password hashing
This is a built-in feature in Django 1.4+. Documented here for convenience:
PASSWORD_HASHERS = (
# From https://docs.djangoproject.com/en/1.4/topics/auth/:
# "[redacted] This means that Django will use the first hash in the list
# to store all passwords, but will support checking passwords stored with
# the rest of the hashes in the list. If you remove a hash from the list
# it will no longer be supported.
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
)
Screenshots
Overview of features
Password length enforcement
Failed login attempts log
License
This software is licensed under the same BSD license that Django is licensed under. See: LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
