Password expiration
With the password settings in Settings -> Security & Membership -> Passwords, you can set passwords of administration interface users to expire after a specified amount of time.
Notes:
- The password expiration features described on this page do NOT apply to users who only sign in on the live site (via the MVC application).
- The system does not support changing of passwords and the password expiration feature for external users (for example Active Directory users created using Mixed-mode Windows authentication).
You can enable password expiration using the Enable password expiration setting. When a user signs in to the system, the password expiration period (specified in days by the Password expiration period setting) is added to the time when the user last modified their password. The resulting time is then compared with the current time, and if it is in the past, the particular user’s password has expired.
You can set how the system behaves after the password expires with the Password expiration behavior setting:
Show warning – displays a warning text. The user can click the Change the password now link to open a dialog that will allow them to change their password.
Lock account – locks the user’s account, requiring the user to unlock their account and change their password.
To display a friendly message (as you can see on the picture above) to the users, check the Display account lock information message option in Settings -> Security & Membership -> Protection. If you do not check this option, users will see only a general message without knowing that their account has been locked.
The system can warn the users that their password is about to expire. You can adjust the period during which users will be displayed with the warning via the Password expiration warning period setting.
Notifying users by email
By enabling the Send password expiration email setting, you can specify whether you want to notify users about the expiration of their password via email.
The Email templates application contains a predefined template (Membership - Password expired) that is sent to users when their password expires. The template contains the {% ResetPasswordUrl %} macro, which resolves to a URL of the page that allows the user to change the password.
Extending password validity
To extend the validity of a user’s password, edit the user in the Users application and on the General tab, click Extend validity. The password’s validity will be reset to the Password expiration period setting’s value and the user will be enabled in case their account has been locked due to the expired password.