Will upgrade to Django3.2 break password reset tokens?

I have seen below note in Django 3.2 release notes. This relevant commit updated making hash value algorithm based on user and timestamp. It now includes user email as well compared to previous version:

return f'{user.pk}{user.password}{login_timestamp}{timestamp}{email}'

Previously (v3.1) it was:

return str(user.pk) + user.password + str(login_timestamp) + str(timestamp)

So I am worrying that upgrading from Django 3.1 to 3.2 will break my existing password reset tokens. It’s weird that this incompatibility is not mentioned in 3.2 release notes. Or maybe I am wrong about assuming this change incompatible?

It probably does - but is it really a problem?

Those password reset tokens have a limited lifespan, and you can always request a new token.

Unfortunately, the situation is not that simple. We inherited Django’s PasswordResetTokenGenerator for generating user account activation token as well. We also overrode it to increase expiration time and make it configurable via admin panel. So, configured expiration time for some users is more than a month…