Recently we implemented a "Forgot your password?" feature in one of our django sites and wanted to protect the mechanism so our users wouldn't get spammy messages from our servers. As much as we may hate it, forms in our sites usually act as spambots magnets. We need some kind of protection and CAPTCHAs usually do a good job.

There are cool tutorials like this one that can help you integrate django-auth views for password reset in your site. In his post we discuss how to add CAPTCHA protection to this mechanism. Our service of choice is reCAPTCHA because of its security and accessibility (plus their cool book digitalization efforts).

The first step is registering your site in recaptcha to get a key set, for this you will need a Google account (TIP: You can register localhost).

To connect to ReCAPTCHA from django we used django-recaptcha:

sudo easy_install django-recaptcha 

Now we have to add our keys to our settings file. Also, we have to add captcha to our INSTALLED_APPS:

# Captcha -
RECAPTCHA_PUBLIC_KEY = 'your public key here'
RECAPTCHA_PRIVATE_KEY = 'your private key here'

Adding captcha validation to any form is as easy as adding a line of code. In our password reset we used one of django's built-in forms, but that's not a big deal since we can just subclass it and add a ReCAPTCHA field:

    from django.contrib.auth.forms import PasswordResetForm
    from captcha.fields import ReCaptchaField    
    class PasswordResetReCaptchaForm(PasswordResetForm):
        captcha = ReCaptchaField(attrs={'theme' : 'clean'})

Notice that we added an attribute to tweak ReCAPTCHA's look. There are a lot of possible customizations nicely explained in the docs.

Finally we we have to tell our view to use our form and not the default one:

    url(r'^accounts/password/reset/$', 'django.contrib.auth.views.password_reset', name='password_reset',
        kwargs={'post_reset_redirect' : '/accounts/password/reset/done/', 'password_reset_form':PasswordResetReCaptchaForm}

Notice that, unless you specify it otherwise, this view will use the admin's password reset template located in registration/password_reset_form.html. Not a problem given you can create a registration folder in your templates directory and replace these templates with your own.

Now, once you finish you may obtain something like this:

Image and video hosting by TinyPic

Cool stuff!


  1. Phil
    Phil on 04/17/2012 2:42 p.m.
    Hi, thank you for the nice article. It would be very nice to know how to customize the user interface with theme:'custom' using django-recaptcha
  2. Jared Kerim
    Jared Kerim on 01/11/2013 4:42 p.m.
    Hey, this worked perfectly first try, thanks so much!
  3. Carlos
    Carlos on 05/04/2013 7:46 a.m.
    I have a website and have tried everything in the book, but csrf is completely useless, do you have any captcha solutions for my website. will aoppreciate it
  4. Terrel Shumway
    Terrel Shumway on 10/01/2013 9:02 a.m.
    This is probably a newbie issue, but the article didn't make it obvious what changes to make to the template. I guess I need to RTFM.
  5. Raghvendra Pateriya
    Raghvendra Pateriya on 12/02/2013 1:43 a.m.
    Hi, In my scenario is I have to build a website A, the user of site A is validate true another web site B.B is providing the captch to validate user.How i call the captch of another site. Please help me out. Thanks in Advance.
  6. Venta de Espirometros
    Venta de Espirometros on 10/16/2014 6:23 a.m.
    That is definitely actually amazing. Supply best wishes content publisher intended for accomplishing this. it will always be non-traditional content pieces.

Post your comment