Django's auth backends now require request as the first positional

parameter, which we didn't have before. Django 1.11 will warn about this

if warnings are enabled, but otherwise works around it. Django 2.0 will

outright require it.
This only manifested as a problem in one situation, when changing

passwords in My Account. In this case, we call authenticate() directly

on the backend, rather than Django's wrapper (which handles legacy

signatures). This triggered a breakage on the standard auth backend.
All authenticate() signatures have been updated, and all call sites as

well.
This is a breaking change for any third-party auth backends.

Unit tests pass.
Successfully changed my password in My Account.