Abstract

When you setup Sitecore security, you should also consider how you want to set up the password policy, such as the minimum length and strength of your users' passwords and if you want to allow users who forget their password to request a new password in an email message.

This topic describes how to

The security architect can specify the password policy to be enforced on your website. The parameters that can be specified include the length and strength of the passwords that users must use, as well as the number of times that a user can enter an incorrect password before they are locked out.

1. In Windows Explorer, browse to the folder where the website is stored, typically, C:\Inetpub\wwwroot\SitecoreWebsite\WebSite.

2. Open the Web.config file in Notepad and scroll down to the following section:

3. Edit the following properties:

Property

Defines

minRequiredPasswordLength

The minimum number of characters that a password must contain.

minRequiredNonalphanumericCharacters

The minimum number of non-alphanumeric characters that a password must contain.

Non-alphanumeric characters are any characters that do not contain the value of a number or a letter, for example, !@#\$%&*()

Default value = 0.

maxInvalidPasswordAttempts

The maximum number of times that a user can enter an incorrect password before their security account is locked out.

You must also edit the Sitecore.config file to enable Sitecore to send an email message to users who use the Forgot Your Password functionality and request to receive a new password in an email message.

1. Open the Sitecore.config file in Notepad.

2. Scroll down to the following section:

<!--  MAIL SERVER
SMTP server used for sending mails by the Sitecore server
Is used by MainUtil.SendMail()
-->
<setting name="MailServer" value="mail.server.net" />
<!--  MAIL SERVER USER
If the SMTP server requires login, enter the user name in this setting
-->
If the SMTP server requires login, enter the password in this setting
-->
<!--  MAIL SERVER PORT
If the SMTP server requires a custom port number, enter the value in this setting.
The default value is: 25
-->
<setting name="MailServerPort" value="25" />

3. Enter the address of your mail server in the <setting name="MailServer" value="" /> section.

4. If you are using SSL security, you must also add the following setting to the configuration file:

<system.net>
<mailSettings>
<smtp deliveryMethod="Network">
<network enableSsl="true" />
</smtp>
</mailSettings>
</system.net>

You need to change the sender of the Forgot your Password email to a valid email address. You can also the subject and content of the email. To do this, follow these steps: