The django-user-accounts password expiration feature forces users to create a new password on a regular basis. This feature works for existing sites as well as new sites, and can be enabled or disabled whenever desired.
Enabling password expiration requires two steps:
- Enabling middleware
- Configuring a couple of settings
account.middleware.ExpiredPasswordMiddleware in MIDDLEWARE_CLASSES:
MIDDLEWARE_CLASSES = [ ... "account.middleware.ExpiredPasswordMiddleware", ... ]
For an authenticated user whose password is expired,
ExpiredPasswordMiddleware prevents retrieving or posting to any page except the password change and log out pages.
Note: If the user is “staff” (can access the Django admin site), password checking is skipped.
ACCOUNT_PASSWORD_USE_HISTORY = True ACCOUNT_PASSWORD_EXPIRY = 60*60*24*5 # number of seconds, this is five days
ACCOUNT_PASSWORD_USE_HISTORY is a boolean which enables or disables password expiration. In order to disable password expiration, simply set
ACCOUNT_PASSWORD_USE_HISTORY = False . No history will be generated and password expiration WILL NOT be checked.
ACCOUNT_PASSWORD_EXPIRY indicates the duration passwords will remain valid. After that period a password must be reset in order to view any page. This is a global setting for all users. If
ACCOUNT_PASSWORD_EXPIRY is zero (0) then passwords never expire.
Creating password history
For new users, nothing special is required except the settings and middleware shown above. A password history entry is automatically created as each new user is added to the system, and middleware will ensure a new password is created when the old password expires.
Existing users have no password history. In order for password expiration to work, each user must have a password history. django-user-accounts provides a management command,
user_password_history, which creates an initial password history for all users who don’t already have a password history
python manage.py user_password_history [-d <days>] [--force]
-d <days>- optional, sets the age of the current password. Password age defaults to ten days ago if not specified.
--force- optional, forces a new password history for all users, regardless of previous history.
User-specific password expiry
Typically password expiration duration is the same for all users, as specified by setting
ACCOUNT_PASSWORD_EXPIRY. However, django-user-accounts includes a management command which sets a user-specific password expiration duration. User-specific values override the global
ACCOUNT_PASSWORD_EXPIRY for these users. Technically, password expiration middleware first tries to find a user-specific password expiry value. If no user-specific password expiry exists, middleware uses the global expiration value
python manage.py user_password_expiry username [username] [--expire <days>]
<username> [<username>]- required, username(s) of the user(s) who needs specific password expiry.
--expire <seconds>- optional, sets the number of seconds for password expiration. Default expiration value is the current global
Other Uses for Password History
Password history entries are saved forever, unless deleted manually. This allows checking password history when a user chooses a new password. For instance, you may want users to never re-use an old password. Password history gives you this opportunity. Obtain old entries with standard Django object manager calls:
from account.models import PasswordHistory user_password_history = user.password_history_set.all()