Configure the password policy
When you setup Sitecore security, you should also consider how you want to set up the password policy, such as the minimum length and strength of your users' passwords and if you want to allow users who forget their password to request a new password in an email message.
This topic describes how to
Specify your password policy
The security architect can specify the password policy to be enforced on your website. The parameters that can be specified include the length and strength of the passwords that users must use, as well as the number of times that a user can enter an incorrect password before they are locked out.
To specify the password policy:
-
In Windows Explorer, browse to the folder where the website is stored, typically,
C:\Inetpub\wwwroot\SitecoreWebsite\WebSite. -
Open the
Web.configfile in Notepad and scroll down to the following section:
-
Edit the following properties:
Property Defines minRequiredPasswordLengthThe minimum number of characters that a password must contain. minRequiredNonalphanumericCharactersThe minimum number of non-alphanumeric characters that a password must contain.
Non-alphanumeric characters are any characters that do not contain the value of a number or a letter, for example, !@#$%&*()
Default value = 0.maxInvalidPasswordAttemptsThe maximum number of times that a user can enter an incorrect password before their security account is locked out.
Enable the forgotten password functionality
You must also edit the Sitecore.config file to enable Sitecore to send an email message to users who use the Forgot Your Password functionality and request to receive a new password in an email message.
To enable the Forgot Your Password functionality:
-
Open the
Sitecore.configfile in Notepad. -
Scroll down to the following section:
-
Enter the address of your mail server in the
<setting name="MailServer" value="" />section. -
If you are using SSL security, you must also add the following setting to the configuration file:
-
Save your changes.
You need to change the sender of the Forgot your Password email to a valid email address. You can also edit the subject and content of the email. To do this, follow these steps:
- Log in to Sitecore as an administrator.
- In the Launchpad, open the Desktop, and select the Core database.
- In the Content Editor, navigate to /sitecore/system/Settings/Security/Password recovery/Password Recovery Email.
- Enter a valid email address in the Sender email address field, and change the other fields as you need.
You must configure your SMTP server to allow emails to be sent from the email address you specified as the Sender email address.