author Keerthana

How to Secure Django Password Reset with reCAPTCHA

Keerthana Baskar on April 24, 2025

In one of our projects, we initially used Mailjet to handle email delivery. Everything worked fine until we suddenly stopped receiving password reset emails.

After looking into the issue, I found the root cause: bots were attacking the password reset form. They kept triggering password reset requests, which flooded the email system and made it unreliable. I used the Django default password reset form - no CAPTCHA.

Integrating Google reCAPTCHA into your Django password reset form is an effective way to block automated bots from abusing the system.

Install Required Packages

You need django-allauth and a reCAPTCHA package like django-recaptcha. Start by installing them

pip install django-allauth

pip install django-recaptcha

Note: I use django-allauth because it gives better control over account-related forms.

Configure Installed Apps and Middleware

In your settings.py, add the following to INSTALLED_APPS

INSTALLED_APPS = [
    ...
    'allauth',
    'allauth.account',
    'captcha',
]

And make sure you add the required middleware

MIDDLEWARE = [
    ...
    'allauth.account.middleware.AccountMiddleware',
]

Create a Custom Password Reset Form with reCAPTCHA

Folder structure for forms.py

<app_name>/
├── migrations/
│   └── __init__.py
├── __init__.py
├── admin.py
├── apps.py
├── forms.py  <-- Paste the below code here
├── models.py
├── tests.py
├── urls.py
├── views.py

Inside your app, create a forms.py file (or edit if it already exists)

from allauth.account.forms import ResetPasswordForm
from captcha.fields import ReCaptchaField
from captcha.widgets import ReCaptchaV2Checkbox

class MyPasswordResetForm(ResetPasswordForm):
    captcha = ReCaptchaField()

Update Allauth Settings

In settings.py, add

ACCOUNT_FORMS = {
    'reset_password': 'yourapp.forms.MyPasswordResetForm',
}

Replace yourapp with the actual name of your Django app.

Add reCAPTCHA Keys to Your Settings

Register for reCAPTCHA v2 keys at Google reCAPTCHA and add them to your settings.py:

RECAPTCHA_PUBLIC_KEY = 'your-public-key'
RECAPTCHA_PRIVATE_KEY = 'your-private-key'

By following these steps, you’ll have a secure password reset form in your Django project protected by reCAPTCHA—no bots allowed.

Last updated: April 28, 2025, 4:18 p.m.