Password expiration

With the available password settings in Settings -> Security & Membership -> Passwords, you can set the passwords to expire after a specified amount of time.

You can enable password expiration using the Enable password expiration setting. When a user logs in to the system, the password expiration period (specified in days by the Password expiration period setting) is added to the time when the user last modified their password, and then compared with the current time. If the resulting time is earlier than the current time, the particular user’s password has expired.

You can set how the system behaves after the password expires with the Password expiration behavior setting:

  • Show warning - displays a warning text. The user can click the Change the password now link to open a dialog that will allow them to conveniently change their password.
    Warning message

  • Lock account - locks the user’s account, requiring the user to unlock their account and change their password.

    Locked account after password expiration

    To display a friendly message (as you can see on the picture above) to the users, check the Display account lock information message option in Settings -> Security & Membership -> Protection. If you do not check this option, users will see only a general message without knowing that their account has been locked.

The system can warn the users that their password is about to expire. You can adjust the period during which users will be displayed with the warning via the Password expiration warning period setting.

Note: The system does not support changing of passwords and the password expiration feature for external users (for example Active Directory users created using Mixed-mode Windows authentication).

Notifying live site users

By default, notifications related to password expiration are displayed only in the administration interface. To notify also live site users, place the Password expiration web part on a page.

Notifying users by email

By enabling the Send password expiration email setting, you can specify whether you want to notify users about the expiration of their password via email.

The Email templates application contains a predefined template (Membership - Password expired) that is sent to users when their password expires. The template contains the {% ResetPasswordUrl %} macro, which resolves to a URL of the page that allows the user to change the password.

Changing passwords

To allow users to manually change their password, place the Change password or My account web part onto one of your website’s pages. Creating a custom user editing form with a visible password field is not recommended.

Resetting passwords

Processing of password reset links is handled by special pages. You can either use the default page (~/CMSModules/Membership/CMSPages/ResetPassword.aspx), or specify a custom page in the Settings -> Security & Membership -> Passwords -> Reset password page URL setting.

A custom password reset page must contain one of the following components:

  • Reset password web part (for portal engine pages).
  • ResetPassword control (for ASPX pages). The control is located in: ~/CMSModules/Membership/Controls/ResetPassword.ascx

Extending password validity

To extend the validity of any user’s password, edit the user in the Users application and on the General tab, click Extend validity. The password’s validity will be reset to the Password expiration period setting’s value and the user will be enabled in case their account has been locked due to expired password.