Educational Python CLI tool that evaluates passwords against a configurable policy. It focuses on how password rules are enforced in real systems (length checks, composition rules, weak-password blocklists), and provides clear, structured feedback when a password fails validation.

This project is for learning and demo purposes — it is not a full authentication system.

• Minimum and maximum length checks
• Optional character requirements (upper/lower/digit/symbol)
• Detects weak passwords using a local blocklist
• Optional breach check via HIBP (k-anonymity range API)
• Context checks (prevents passwords containing username/company words)
• Clear error messages + suggestions
• TOML-based policy configuration

This project demonstrates:

• Password policy enforcement (server-side validation)
• Authentication hardening
• Preventing weak/common credentials
• Safer input handling (e.g., using hidden input in CLI)
• Understanding tradeoffs: modern “length-first” policies vs legacy composition rules

sec-password-policy-analyzer/
├─ password_policy_analyzer/
│  ├─ __init__.py
│  ├─ __main__.py
│  ├─ cli.py
│  ├─ analyzer.py
│  ├─ policy.py
│  ├─ config.py
│  └─ weak_passwords.py
├─ data/
│  └─ common_passwords_sample.txt
├─ examples/
│  └─ policy.example.toml
└─ tests/
   └─ test_analyzer.py

pip install -e .

Then run:

password-policy-analyzer

python -m password_policy_analyzer

password-policy-analyzer

The tool will prompt for a password using hidden input (won’t show what you type).

password-policy-analyzer --config examples/policy.example.toml

password-policy-analyzer --config examples/policy.example.toml --context daniil --context pecs

echo "SomePasswordHere" | password-policy-analyzer --password-stdin

Warning: stdin/password piping can leak secrets in shell history/logs. Use only for testing.

If the password fails:

❌ Password is NOT compliant.

Violations:
- [length_too_short] Password must be at least 12 characters.
    ↳ Long passphrases are usually easier to remember and harder to guess.

Suggestions:
- Consider using a longer passphrase (14+ characters) for better security.
- Use unique passwords per site (a password manager helps).

Example: examples/policy.example.toml

[policy]
min_length = 12
max_length = 128

require_upper = false
require_lower = false
require_digit = false
require_symbol = false

allow_spaces = true
allow_unicode = true
normalize_unicode_nfc = false

local_blocklist_path = "data/common_passwords_sample.txt"
check_pwned_passwords = false

forbid_context_words = true

• Composition rules are optional and disabled by default (many modern policies prefer length + blocklist).
• The blocklist sample is intentionally small; you can replace it with a larger list.

Designed for automation / CI:

• 0 Password is compliant
• 2 At least one policy violation found

pip install pytest
pytest

• This tool does not manage users, login sessions, hashing, or authentication storage.
• The breach check depends on network availability and is optional.
• Detection rules are intentionally transparent for learning (not for adversarial environments).

• Many real systems reject weak passwords at creation time to reduce account takeover risk.
• This tool demonstrates common policy checks and their tradeoffs (length-first vs strict composition rules).

pip install -e . pytest pytest-cov ruff
ruff check .
ruff format .
pytest --cov=password_policy_analyzer --cov-report=term-missing