diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2019-09-20 13:07:34 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2019-09-20 13:53:01 +0200 |
| commit | 45304e444e0d780ceeb5fc03e6761569dfe17ab2 (patch) | |
| tree | 65a82d29573de34fae0b8d57d1b7d227a2b73093 /docs | |
| parent | 226ebb17290b604ef29e82fb5c1fbac3594ac163 (diff) | |
Refs #28622 -- Clarified security implications of PASSWORD_RESET_TIMEOUT.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/settings.txt | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index fe103162ef..94b8bbcb94 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2885,6 +2885,16 @@ The minimum number of seconds a password reset link is valid for. Used by the :class:`~django.contrib.auth.views.PasswordResetConfirmView`. +.. note:: + + Reducing the value of this timeout doesn't make difference to the ability of + an attacker to brute-force a password reset token. Tokens are designed to be + safe from brute-forcing without any timeout. + + This timeout exists to protect against some unlikely attack scenarios, such + as someone gaining access to email archives that may contain old, unused + password reset tokens. + .. setting:: PASSWORD_RESET_TIMEOUT_DAYS ``PASSWORD_RESET_TIMEOUT_DAYS`` |
