To repro view the result of https://api.pwnedpasswords.com/range/D95BE, which contains D2DC6572B8419EFAFA03DEEF501F1AA32C2:1,352 and FAFB8A7D40893D2FB8F67FACB0E982DBC3B:1,034 as of now.

12 +    HELP_MESSAGE = _("Your password can't be one which has been previously breached.")
12 -    HELP_MESSAGE = _("Your password can't be a commonly used password.")

By the way, fabulous software. Love it. Thank you :)

I'm using the following version, under Python 3.5:
pwned-passwords-django==1.1
django==1.11.13

Our prod monitoring just came through with the above error when we tried to verify someone's password, and the API came back with an HTML document starting with <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">, which made the password validator crash.

I cannot see the rest, but it looks like there was a small issue with the API at the time. I just retried the request manually, and the response is fine now.

Can I suggest to make the password validator a bit more resilient to API failures? If we fail to parse the response body, or if the response status code isn't 200, something went wrong and we should disable this validator.

Since Python 3.7 is EOL and has been for a few months I think it's worth dropping support for it from this project and updating httpx to the latest 0.25 version which also drops Python 3.7 as well as including new additions and bug fixes. Hopefully httpx will also be updated soon to show support for Python 3.12 and httpcore version 1.0.0

The github/homepage link in pypi hits a 404 because the project name is incorrect.

Wrong: http://github.com/ubernostrum/django-pwned-passwords/
Correct: https://github.com/ubernostrum/pwned-passwords-django/

Please consider fixing the link, and pointing to https, not http :)

Side note: maybe you could also consider updating the README to include a link to pypi? or a basic pip install line to help people go from Github -> pypi.

Django 3.1 RC1 has been released. In advance of the release itself, it would be good to be able to test with the RC1.

I'll cut a branch for it and submit a PR.

I think the user-agent needs to be more specific than python-requests/{version} to comply with the acceptable use policy of the API.

Specifically:

Things that are not awesome include:

• Not properly identifying the user agent such that it accurately describes the consumer of the API

See: https://haveibeenpwned.com/API/v2#UserAgent
See: https://haveibeenpwned.com/API/v2#AcceptableUse

I propose setting it to something like:
Django pwned password validator (https://github.com/ubernostrum/pwned-passwords-django)

It would be even more awesome if you can override it with a setting in the OPTIONS dictionary like in #5
That way people can set it to the name of their website, as they are the actual consumers of the API.

I hit an issue this morning when testing offline when the value for "times" is more then 999. E.G. 3237 as times returns as 3,237

/site-packages/pwned_passwords_django/api.py, line 46, in _get_pwned

results[line_suffix] = int(times)

We're consistently hitting the request timeout in production. Troy Hunt is investigating on his end why some of the requests are so slow - but it'd be useful to us if we could configure the request timeout for situations like this.

Hi there - it looks like pwned-passwords-django is now Django 3.0 compatible - is there any chance of an update to PyPI?

(sorry to badger, appreciate you may have other things going on)