why is the UserCreationForm has UserName field explicity defined in model class in Django?

Question

I am looking at source code for UserCreationForm in django.contrib.auth.forms

what I notice is that the following:

class Meta:
            model = User
            fields = ("username",)

why is there a need to explicitly mention this ("username",) in the fields.because there is a username field defined again the UserCreationForm. why is it? and why Password fields are not included in the above Meta class definition?

class UserCreationForm(forms.ModelForm):
    """
    A form that creates a user, with no privileges, from the given username and
    password.
    """
    error_messages = {
        'duplicate_username': _("A user with that username already exists."),
        'password_mismatch': _("The two password fields didn't match."),
    }
    username = forms.RegexField(label=_("Username"), max_length=30,
        regex=r'^[\w.@+-]+$',
        help_text=_("Required. 30 characters or fewer. Letters, digits and "
                      "@/./+/-/_ only."),
        error_messages={
            'invalid': _("This value may contain only letters, numbers and "
                         "@/./+/-/_ characters.")})
    password1 = forms.CharField(label=_("Password"),
        widget=forms.PasswordInput)
    password2 = forms.CharField(label=_("Password confirmation"),
        widget=forms.PasswordInput,
        help_text=_("Enter the same password as above, for verification."))

    class Meta:
        model = User
        fields = ("username",)

    def clean_username(self):
        # Since User.username is unique, this check is redundant,
        # but it sets a nicer error message than the ORM. See #13147.
        username = self.cleaned_data["username"]
        try:
            User._default_manager.get(username=username)
        except User.DoesNotExist:
            return username
        raise forms.ValidationError(
            self.error_messages['duplicate_username'],
            code='duplicate_username',
        )

    def clean_password2(self):
        password1 = self.cleaned_data.get("password1")
        password2 = self.cleaned_data.get("password2")
        if password1 and password2 and password1 != password2:
            raise forms.ValidationError(
                self.error_messages['password_mismatch'],
                code='password_mismatch',
            )
        return password2

    def save(self, commit=True):
        user = super(UserCreationForm, self).save(commit=False)
        user.set_password(self.cleaned_data["password1"])
        if commit:
            user.save()
        return user

Answer 1

The fields attribute is there because, without it, all fields from that model would show on the form (the default behavior of a ModelForm is to show all fields from the model, in the absence of a "fields" or "exclude" attribute).

The password field isn't in it because the password fields shown on the form aren't really the password field stored in the model--the one in the model is the hashed password, whereas the ones shown on the form are normal text fields. So the code that processes this form takes those text passwords, makes sure they're the same, and then creates the "real" password and stores that in the model.