Password expiration

With the available password settings in Settings -> Security & Membership -> Passwords, you can set the passwords to expire after a specified amount of time.

You can enable password expiration using the Enable password expiration setting. When a user logs in to the system, the password expiration period (specified in days by the Password expiration period setting) is added to the time when the user last modified their password, and then compared with the current time. If the resulting time is earlier than the current time, the particular user’s password has expired.

You can set how the system behaves after the password expires with the Password expiration behavior setting:

  • Show warning - displays a warning text. The user can click the Change the password now link to open a dialog that will allow them to conveniently change their password.
    Warning message

  • Lock account - locks the user’s account, requiring the user to unlock their account and change their password.

    Locked account after password expiration

    To display a friendly message (as you can see on the picture above) to the users, check the Display account lock information message option in Settings -> Security & Membership -> Protection. If you do not check this option, users will see only a general message without knowing that their account has been locked.

The system can warn the users that their password is about to expire. You can adjust the period during which users will be displayed with the warning via the Password expiration warning period setting.

Note: The system does not support changing of passwords and the password expiration feature for external users (for example Active Directory users created using Mixed-mode Windows authentication).

Notifying live site users

By default, notifications related to password expiration are displayed only in the administration interface. To notify also live site users, place the Password expiration web part on a page.

Resetting a password

Users can change their expired password on a special page. You can either use the default page (~/CMSModules/Membership/CMSPages/ResetPassword.aspx), or specify a custom page in the Reset password page URL setting.

A custom password reset page should contain one of the following components:

  • Reset password web part - a web part you can use in the Portal engine development model.
  • ResetPassword control - an alternative to the Reset password web part, which can be placed on an ASPX page. The control is located in ~/CMSModules/Membership/Controls/ResetPassword.ascx.

Notifying users by e-mail

By turning the Send password expiration e‑mail setting on, you can specify whether you want to notify users about the expiration of their password via e‑mail.

The E-mail templates application contains a predefined template (Membership - Password expiration) that is sent to users when their password expires. The template contains the {% ResetPasswordUrl %} macro, which is resolved to a link that points to the URL of the page that allows to change the user’s password.

Extending password validity

To extend the validity of any user’s password, edit the user in the Users application and on the General tab, click Extend validity. The password’s validity will be reset to the Password expiration period setting’s value and the user will be enabled in case their account has been locked due to expired password.