From 45304e444e0d780ceeb5fc03e6761569dfe17ab2 Mon Sep 17 00:00:00 2001
From: Luke Plant <L.Plant.98@cantab.net>
Date: Fri, 20 Sep 2019 13:07:34 +0200
Subject: [PATCH] Refs #28622 -- Clarified security implications of
 PASSWORD_RESET_TIMEOUT.

---
 docs/ref/settings.txt | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index fe103162ef..94b8bbcb94 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -2885,6 +2885,16 @@ The minimum number of seconds a password reset link is valid for.
 
 Used by the :class:`~django.contrib.auth.views.PasswordResetConfirmView`.
 
+.. note::
+
+   Reducing the value of this timeout doesn't make difference to the ability of
+   an attacker to brute-force a password reset token. Tokens are designed to be
+   safe from brute-forcing without any timeout.
+
+   This timeout exists to protect against some unlikely attack scenarios, such
+   as someone gaining access to email archives that may contain old, unused
+   password reset tokens.
+
 .. setting:: PASSWORD_RESET_TIMEOUT_DAYS
 
 ``PASSWORD_RESET_TIMEOUT_DAYS``