Passwords

Send password e-mails from

Sets the e-mail address from which password recovery e-mails will be sent.

Password format

Selects the format used to store the passwords of users. They may either be saved in plain text or as the result of a security hash function. The recommended option that provides the best security is SHA2 with salt.

If you change the password format, please keep in mind that this only affects how future passwords are stored and existing passwords will remain unchanged. It is necessary to set all passwords again so that they are stored in the new format. For this reason, it is recommended to set the appropriate format directly after the installation, before you create user accounts or allow users to start registering.

Please note: An empty string in the UserPassword field of the CMS_User database table is considered to be a blank password for both plain text and hashed password formats. If you forget the global administrator password, you can manually insert an empty value to reset it.

Reset password requires e‑mail approval

If checked, users who submit a password recovery request through a logon form will not receive their password directly, but will instead be sent an e‑mail containing a link to a page where they can manually set a new password.

If disabled, the system will send an e‑mail to the given user containing their current password if passwords are stored in plain text, or a newly generated password if hashing is used.

Reset password page URL

Sets the URL of the page where users can change their password after they submit a password recovery request. The Reset password web part must be placed on the specified page to ensure that users can set a new password.

The value of this setting is used by the administration interface logon page and inherited by individual Logon form web parts if their own Reset password page property is not set.

If empty, the ~/CMSModules/Membership/CMSPages/ResetPassword.aspx default page is used.

Reset password interval

Sets the length (in hours) of the time interval during which users will be allowed to change their password after submitting a password recovery request (if the Reset password requires e‑mail approval setting is enabled). After the specified amount of hours, the link in the password recovery e‑mail will expire and become invalid.

Send e‑mail with reset password

If enabled, users will receive another e‑mail containing their new password once they successfully reset it.

Password policy

Use password policy

Indicates if a security policy should be used to validate the passwords entered by users for their accounts. The details of the policy can be specified through the settings below. Passwords that do not meet the required conditions will be rejected.

Enabling this setting does not change the passwords of existing users, it only adds requirements that must be fulfilled by new passwords.

Minimal length

Sets the minimum number of total characters required for user passwords.

Number of non alphanumeric characters

Sets the minimum number of non alphanumeric characters (i.e. any character except for numbers and letters) that must be present in a password in order for it to be accepted.

Regular expression

Can be used to enter a regular expression that will be used to validate user passwords. This regular expression is applied in combination with the other policy settings.

For example: ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).*$

This sample expression would require passwords to contain at least one lower case letter, upper case letter and number. The minimum amount of characters would be determined by the remaining policy settings.

Policy violation message

Specifies a custom text message that will be displayed to users who attempt to enter a password  which does not fulfill the requirements of the password policy. If left empty, a default message will be shown, informing about the minimum password length and number of non alphanumeric characters.

If you specify a regular expression for passwords, it is recommended to describe its requirements in this message.

If your site has multiple cultures (languages) assigned to it, you can enter a different message for each language via the Localize () action.