id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 26909 Allow UserAttributeSimilarityValidator to validate against properties Kieren Pitts Andrew Nester "The UserAttributeSimilarityValidator class (in contrib/auth/password_validation.py) has a hardcoded reference to 'username' in it: DEFAULT_USER_ATTRIBUTES = ('username', 'first_name', 'last_name', 'email') These attributes are looped through to check new passwords for similarity with existing information on the user. However, if you use a custom user model then you may not have a 'username' (especially if using 'email' as the username) and this then results in an error on line 147 when resetting passwords (using a password that is similar to, say, the email): verbose_name = force_text(user._meta.get_field(attribute_name).verbose_name) In some cases you can use built-in auth forms with a custom user model. These use-cases have some restrictions and are outlined in the docs here: https://docs.djangoproject.com/en/1.9/topics/auth/customizing/#custom-users-and-the-built-in-auth-forms However, given the hard-coded attributes in the UserAttributeSimilarityValidator class the below statement from the above page is not correct because the missing 'username' field causes an error and using a property does not work with _meta.get_field: ""PasswordResetForm: Assumes that the user model has a field named email that can be used to identify the user and a boolean field named is_active to prevent password resets for inactive users."" This issue only comes to light if the password is similar to the data in one of the other fields (i.e. the SequenceMatcher check suggests they are similar). For example, if you have a custom user model using 'email' as the username field and a user with a username of 'somespecialname@example.com' tries to set a password of 'somespecialname'. It's not clear if the problem is with the code which shouldn't have the hardcoded values (perhaps they could be overridden by a setting instead) or if it's a mistake/omission in the docs. Apologies if I've missed something obvious here." Cleanup/optimization closed contrib.auth 1.9 Normal fixed Accepted 1 0 0 1 0 0