``is_active`` is no longer used to determine whether an account as been activated. Instead, inactive accounts are given an "unusable" password (see ``django.contrib.auth.models.UNUSABLE_PASSWORD``), while the registration profile stores the actual password chosen by the user. Once the user activates the account, the user is assign his password, and the registration profile record subsequently deleted. These changes make it easy to use very much the same process to implement a "password reset" functionality. If the user confirms the password change via email, the new password is applied, otherwise it is discarded during the cleanup. The cleanup process then will only delete user accounts that do not have a password set AND an ``is_active`` of False. Finally, the ``User`` model is monkeypatched a new ``email_confirmed`` field that is ``False`` by default and set to ``True`` during activation. This makes it possible to use the activation process to verify email addresses, while still keeping unconfirmed accounts usuable as well.