Note: This guide describes Kentico CMS version 7. Unfortunately, we cannot support this guide from version 8 forward. Go to latest documentation

Skip to end of metadata
Go to start of metadata

With the available password settings in Site Manager -> Settings -> Security & Membership -> Passwords, you can set the passwords to expire after a specified amount of time.

You can turn on password expiration with the Enable password expiration setting. When a user logs in to the system, the password expiration period (specified in days by the Password expiration period setting) is added to the time when the user last modified their password, and then compared with the current time. If the resulting time is earlier than the current time, the particular user's password has expired.

You can set how the system behaves after the password expires with the Password expiration behavior setting:

  • Show warning - displays a warning text. The user can click the Change the password now link to open a dialog that will allow them to conveniently change their password.
  • Lock account - locks the user's account, requiring the user to unlock their account and change their password.

    To display a friendly message (as you can see on the picture above) to the users, check the Display account lock information message option in Site Manager -> Settings -> Security & Membership -> Protection. If you do not check this option, the users will see only a general message without knowing that their account has been locked.

The system can warn the users that their password is about to expire. You can adjust the period during which users will be displayed with the warning via the Password expiration warning period setting.



On this page

Related pages

Notifying live site users

By default, notifications related to password expiration are displayed only in the administration interface. To notify also live site users, place the Password expiration web part on a page.

Resetting a password

Users can change their expired password on a special page. You can either use the default page (~/CMSModules/Membership/CMSPages/ResetPassword.aspx), or specify a custom page in the Reset password page URL setting.

A custom password reset page should contain one of the following components:

  • Reset password web part - a web part you can use in the Portal engine development model.
  • ResetPassword control - an alternative to the Reset password web part, which can be placed on an ASPX page. The control is located in ~/CMSModules/Membership/Controls/ResetPassword.ascx.

Notifying users by e-mail

By turning the Send password expiration email setting on, you can specify whether you want to notify users about the expiration of their password via e‑mail.

The Site Manager -> Administration -> E-mail templates section contains a predefined template (Membership - Password expiration) that is sent to users when their password expires. The template contains the {% ResetPasswordUrl %} macro, which is resolved to a link that points to the URL of the page that allows to change the user's password.

Extending password validity

To extend the validity of any user's password, edit the user in CMS Desk or Site Manager -> Administration -> Users and on the General tab, click Extend validity. The password's validity will be reset to the Password expiration period setting's value and the user will be enabled in case their account has been locked due to expired password.