I started a discussion on the developer mailing list for this topic:

Effectively, the user creation form and the password change form use the UserAttributeSimilarityValidator differently. It is possible to create a user via a subclass of Django's UserCreationForm with a password that would be denied by the password change form. This is because the user creation form only checks similarity agains the username field. When changing a password, the password is validated in similarity to username, first_name, last_name, and email.

This seems highly undesirable.

The central cause is that the ModelForm superclass (of UserCreationForm) hasn't yet created the User instance. UserCreationForm manually adds username to the empty User instance on line 105 to allow for user attribute validation. In the event a developer subclasses UserCreationForm, then the form will still only validate against the username, rather than all of the fields in the field.

I will have a PR with a proposed fix (discussed in the mailing list) shortly.

