You can reset the password directly in the database. Find the table named CMS_User and clear the password field for appropriate user name row. Then you can log in to the CMS using blank password and change it in the Administration section. If you store passwords in PLAIN text and not in SHA1 format, you can see appropriate password in table above directly.
Second option how to retrieve a lost password is to use the forgotten password link. Please go to some page which requires logon and click on mentioned link, enter you e-mail address and the new password will be send to this address (if it exists for some user account).

You can use following sample code in Kentico CMS 4.0:

                CMS.SiteProvider.UserInfo ui = CMS.SiteProvider.UserInfoProvider.AuthenticateUser(txtboxUsername.Text, txtboxPassword.Text, CMS.CMSHelper.CMSContext.CurrentSite.SiteName);
                if (ui != null)
                {
                    System.Web.Security.FormsAuthentication.SetAuthCookie(ui.UserName, true);
                    CMS.CMSHelper.CMSContext.SetCurrentUser(new CMS.CMSHelper.CurrentUserInfo(ui, true));
                    CMS.SiteProvider.UserInfoProvider.SetPreferredCultures(ui);
                }

If you log in and have this checkbox ticked and you stop working at all with your pages but don't log out, this feature will be useful because next time you access the pages you won't have to log in again. It’s something like persistent connection. It works like e.g. Google account - if you check it, you should stay logged into the system. You don't need to fill your credentials anymore (until you click the 'Sign out button').

Many customers think that it provides auto-filling functionality of the username and password fields so that they wouldn’t need to enter them every time they try to login to the site. It is handled by browser itself. Please take a look at the below links for more details.

In Site Manager -> Settings -> <global settings> -> Security & Membership -> Administration section there is setting named “Use SSL for administration interface”.  Please note: Before setting this key to true, please make sure that the SSL certificate is correctly installed in your IIS. If not, you won’t be able to login to the UI, and you will need to change this setting back to false directly in the database e.g. using this query:

UPDATE CMS_SettingsKey
SET KeyValue = 'false'
WHERE KeyName = 'CMSUseSSLForAdministrationInterface'

Configuration of SSL must be handled at the IIS level, not within Kentico. Please see the following Microsoft documentation:
 
http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis/
 
The feature within Kentico that uses SSL is the Document option under Properties -> Security that specifies whether a page should redirect to SSL (to use https instead of http). You can set this up per document, or you can set this in your master page and use inheritance to apply the setting to all pages.
 
This subject is explained in further detail in the following Kentico documentation:

http://devnet.kentico.com/docs/devguide/index.html?ssl_https_support.htm
 

There is a web site related scheduled task named “Users delete non activated user” responsible for deleting non-activated users. Its execution interval is set to one hour by default. This scheduled task deletes users which are not enabled or waiting for approval based on your settings (Site Manager -> Settings -> Security & Membership -> Delete non-activated user after (days)). You can either disable this scheduled task or make sure that the users which you do not want to lose are enabled and/or not waiting for approval.

To set SSL for the logon.aspx page, please go to your solution in Visual Studio and open CMSPages/logon.aspx and its code-behind file.
Now write the following code in the Page_Load method:

if (HttpContext.Current.Request.Url.AbsoluteUri.ToLower().StartsWith("http://"))
{
   Response.Redirect(HttpContext.Current.Request.Url.AbsoluteUri.Replace("http://", "https://"));
}

Please go to Site Manager -> Settings -> <your site> -> Content Management and check the Personalize user interface by permissions check box. This allows you to specify permissions for the user interface. If you now go to CMS Desk -> Administration -> Permissions, choose Permission type: Modules and Permission matrix: CMS User Interface, you can uncheck the Properties tab for a particular role. This ensures that users in that role can't see the Properties tab.

If you secure Word and Excel documents uploaded as CMS.File-s (they require authentication) and the documents contain links to other secured documents, it always displays the logon screen if you click on the links no matter if you are already logged in. In other words, if you browse through the documents via links in the document content, you need to type the username and password every time you open a new document.

Microsoft Word and Excel applications use a special request before the standard request which should check the URL. The extra request does not include needful information for Kentico and that is why it displays the extra logon screen.

Regrettably, we cannot affect the behavior of these processors. For example Outlook and PDF reader use the standard way and it works OK.

The Logon page is available in ~/CMSPages/logon.aspx within the project folder. There are following classes used for design:

.LogonPageBody
{
}

.loginBox
{
}

Both are defined in ~/App_Themes/Default/CMSDesk.css file. You can change them according to your needs.

Please go to: 'CMS Desk -> Content -> document_with_LogonMiniform -> Design' and click on webpart configuration. Here you can select which role you want to show the logon form to. Please select only Not authenticated users role.
This will enforce that logon form will be shown only to non-authenticated users.

This is caused by user is consider to be guest in a time after he logs out and before his session expires.

This issue may happen when the user, who is already logged in, logs in again from different browser or computer.

Go to Site Manager -> Settings -> <your site> -> Content Management -> Personalize user interface by permissions checkbox and check it (set it to true).

It may be confusing there is standard text box specified as field type of password field in User system table. This is caused by the value specified in User system table is not actually used anywhere. There is always some particular alternative form used on live page and there is already the 'password with confirmation' form control used in alternative form. You can find source of this form control in ~\CMSFormControls\PasswordConfirmator.ascx(.cs) files. 

Sometimes it might happen that you accidentally switch on the option "Use SSL for administration interface" within Site Manager -> Settings -> (global) -> Security.

First option is generating SSL certificate and configure your IIS to use it. The easiest way is using SelfSSL certificate service, you can find more info about it using Google.

Another option is switching off this option manually in the database. Please open the database and in table CMS_SettingsKey find this record: CMSUseSSLForAdministrationInterface and in column KeyValue change the value to false. Now, you need to make some change in web.config file, e.g. add some space and save it. This will force the application to restart and after this everything should be like before.

The SSL certificate is set for web site in IIS. So basically you have following two options:

1) You can create separate web sites in IIS for each of the sites in Kentico CMS

2) You can have one IIS web site and buy multiple name certificate

This issue can be caused by a site which uses Form authentication and the user has the 'UserIsExternal' field from the CMS_User table set to true (which works only with windows authentication, or when authenticating a user against an external DB using the CustomSecurityHandler).

This may be solved by the following approaches.

1) Enabling cookies in the browser.
2) Try to lower your IE privacy settings and set it to "low" level.
3) Server time may be set incorrectly according the GMT time, that's why the server is sending expired cookies and the user is not able to log in. Try to set your time according to the wwp.greenwichmeantime.com/ web site.