A few reasons: 1) I work at an international user facility for my day job and I really only want to do this once ;> With IDNs, I'm worried about dealing with Unicode IDNs. The email regex has been updated in recent versions of django to support this. 2) The length--technically, email address can be 256 characters long (http://tools.ietf.org/html/rfc5321#section-4.5.3). The default length of email addresses in django is 75 characters and usernames are 30 characters. This is something that I want to specify (I don't need to be backwards compatible with any existing django databases). 3) As for using SHA2 and stretching, or bcrypt, I think that they should be choices and that the auth package should simply ask the backend what to do. It's not just limited to the user's choice of password, but also to sending out tokens that are only using SHA1. If we want to use say bcrypt for those, then an authentication backend should be required to have a token generator that can be called. The default backend should simply do what the django development team thinks is best. Forms should also be the responsibility of the backend....

BUT The problem with forking contrib.auth to make say for example "gen_auth" is that the module is pretty good (so it's a lot of effort to maintain a fork and to stay current with the django trunk) and so far I've found that the following modules rely on it: comments sites sitemaps (perhaps) messages (ok, deprecated by 1.4, so I'll ignore it) flatpages (and I don't know how many other 3rd party packages).

It's not ideal, but the more I look at it, the more I'm leaning towards monkey_patching.