Configure the password policy

Current version: 10.0

When you setup Sitecore security, you should also consider how you want to set up the password policy, such as the minimum length and strength of your users' passwords and if you want to allow users who forget their password to request a new password in an email message.

This topic describes how to

Specify your password policy

The security architect can specify the password policy to be enforced on your website. The parameters that can be specified include the length and strength of the passwords that users must use, as well as the number of times that a user can enter an incorrect password before they are locked out.

To specify the password policy:

  1. In Windows Explorer, browse to the folder where the website is stored, typically, C:\Inetpub\wwwroot\SitecoreWebsite\WebSite.

  2. Open the Web.config file in Notepad and scroll down to the following section:

  3. Edit the following properties:




    The minimum number of characters that a password must contain.


    The minimum number of non-alphanumeric characters that a password must contain.

    Non-alphanumeric characters are any characters that do not contain the value of a number or a letter, for example, !@#$%&*()

    Default value = 0.


    The maximum number of times that a user can enter an incorrect password before their security account is locked out.

Enable the forgotten password functionality

You must also edit the Sitecore.config file to enable Sitecore to send an email message to users who use the Forgot Your Password functionality and request to receive a new password in an email message.

To enable the Forgot Your Password functionality:

  1. Open the Sitecore.config file in Notepad.

  2. Scroll down to the following section:

    <!--  MAIL SERVER
          SMTP server used for sending mails by the Sitecore server
          Is used by MainUtil.SendMail()
    <setting name="MailServer" value="" />
          If the SMTP server requires login, enter the user name in this setting
    <setting name="MailServerUserName" value="" />
          If the SMTP server requires login, enter the password in this setting
    <setting name="MailServerPassword" value="" />
          If the SMTP server requires a custom port number, enter the value in this setting.
          The default value is: 25
    <setting name="MailServerPort" value="25" />
  3. Enter the address of your mail server in the <setting name="MailServer" value="" /> section.

  4. If you are using SSL security, you must also add the following setting to the configuration file:

          <smtp deliveryMethod="Network">
            <network enableSsl="true" />
  5. Save your changes.

You need to change the sender of the Forgot your Password email to a valid email address. You can also edit the subject and content of the email. To do this, follow these steps:

  1. Log in to Sitecore as an administrator.

  2. In the Launchpad, open the Desktop, and select the Core database.

  3. In the Content Editor, navigate to /sitecore/system/Settings/Security/Password recovery/Password Recovery Email.

  4. Enter a valid email address in the Sender email address field, and change the other fields as you need.


You must configure your SMTP server to allow emails to be sent from the email address you specified as the Sender email address.

Do you have some feedback for us?

If you have suggestions for improving this article,