Django provides a secure and robust authentication system. Password hashing, changing passwords, and resetting forgotten passwords are handled using built-in utilities that follow industry best practices.
Django automatically hashes passwords before storing them in the database using the django.contrib.auth module.
# Create a user with automatic password hashing
from django.contrib.auth.models import User
user = User.objects.create_user(username='john_doe', password='password123')
Authenticated users can change their passwords securely using the set_password() method.
# Change password and keep user logged in
from django.contrib.auth import update_session_auth_hash
user = request.user
user.set_password('new_password123')
user.save()
update_session_auth_hash(request, user)
Django includes a full password reset workflow using email-based verification.
# Send password reset email
from django.contrib.auth.forms import PasswordResetForm
from django.shortcuts import render, redirect
def password_reset_view(request):
form = PasswordResetForm(request.POST or None)
if request.method == 'POST' and form.is_valid():
form.save(request=request)
return redirect('password_reset_done')
return render(request, 'password_reset.html', {'form': form})
# Confirm and set new password
from django.contrib.auth.forms import SetPasswordForm
from django.shortcuts import render, redirect
def password_reset_confirm_view(request, user):
form = SetPasswordForm(user, request.POST or None)
if request.method == 'POST' and form.is_valid():
form.save()
return redirect('password_reset_complete')
return render(request, 'password_reset_confirm.html', {'form': form})
? User → Email Reset Link → Token Validation → New Password → Login
Type a password below to see what Django actually stores in the database.
algorithm$iterations$salt$hash