summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2019-09-20 13:07:34 +0200
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2019-09-20 13:53:01 +0200
commit45304e444e0d780ceeb5fc03e6761569dfe17ab2 (patch)
tree65a82d29573de34fae0b8d57d1b7d227a2b73093 /docs/ref
parent226ebb17290b604ef29e82fb5c1fbac3594ac163 (diff)
Refs #28622 -- Clarified security implications of PASSWORD_RESET_TIMEOUT.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/settings.txt10
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index fe103162ef..94b8bbcb94 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2885,6 +2885,16 @@ The minimum number of seconds a password reset link is valid for.
Used by the :class:`~django.contrib.auth.views.PasswordResetConfirmView`.
+.. note::
+
+ Reducing the value of this timeout doesn't make difference to the ability of
+ an attacker to brute-force a password reset token. Tokens are designed to be
+ safe from brute-forcing without any timeout.
+
+ This timeout exists to protect against some unlikely attack scenarios, such
+ as someone gaining access to email archives that may contain old, unused
+ password reset tokens.
+
.. setting:: PASSWORD_RESET_TIMEOUT_DAYS
``PASSWORD_RESET_TIMEOUT_DAYS``