I'm going to suggest you step back and consider whether the policies you want to implement are good policies. A good, solidly-researched set of recommendations is NIST SP800-63B:
https://pages.nist.gov/800-63-3/sp800-63b.html In particular, NIST suggests the following: * Do not use a policy which automatically "expires" passwords and forces users to change them periodically. Only force a password change when you have evidence that a password has been compromised. * Do not try to impose artificial "complexity" rules (like requiring a mix of uppercase/lowercase, numbers and symbols). * When a user changes their password, compare it against lists of known-compromised passwords. Forcing users to change their passwords on a set schedule just encourages them to choose weak passwords that are easy to remember. If you force me to change my password every three months, for example, here's what I'll do: * P@ssword!2019_1 * P@ssword!2019_2 * P@ssword!2019_3 * P@ssword!2019_4 These passwords are all different from each other, and they each contain at least one uppercase and one lowercase letter, at least one number and at least one symbol. They're also terrible passwords that would probably get cracked within minutes, if not seconds, by any good automated cracker. That's a year's worth of passwords, each of which is different from the last, each contains one -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAL13Cg9Xi7QdCCffqROi_FjLzKimtWYBR%3DusMxf6ihf_E6%3D-9A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
