Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If users forget their password, they may retrieve or reset it, provided they have access to the e‑mail address specified for their account. A password may be recovered by submitting a request through one of the website's logon forms.

By default, a forgotten password button is included on the logon page of the administration interface.

Panel
titleOn this page

Table of Contents
 

Panel
titleRelated pages

You can hide the button by adding the following key to the /configuration/appSettings section of your web.config file:

Code Block
languagehtml/xml
<add key="CMSShowForgottenPassLink" value="false" />

On the live site, users can recover their password through Logon form web parts that have their Allow forgotten password retrieval property enabled.

 

When submitting the request, users can either type in their user name or e‑mail address:

  • If a user name is entered, the recovery e‑mail will be sent to the given account's address.
  • If an address is used, the request will affect the password of the user account with the corresponding address.

Password recovery e‑mails are sent from the address specified in the Send password e-mails from setting in Site Manager -> Settings -> Security & Membership -> Passwords.

Depending on the value of the Reset password requires email approval setting, one of two possible password recovery modes will be used:

Password reset without e-mail approval

If the Reset password requires email approval setting is disabled, then users who request their password will receive an e‑mail containing the password directly.

If the current password format is plain text, the existing password will be sent to the user. If an encrypted password format is used, the system will generate a new password for the user.

Password reset with e-mail approval

If the Reset password requires email approval setting is enabled, several steps will be added to the process.

Info

This option is recommended, as it is more secure than the previous option. When the Reset password requires e‑mail approval setting is disabled, then an attacker can easily lock other users' accounts by guessing their user names and using the forgotten password retrieval function.

Users who submit a password recovery request through a logon form will first receive an e‑mail containing a link to a page where they can manually set a new password. This option is more secure, because the password cannot be read from the e‑mail by potential attackers. Also, the reset link is only valid temporarily. The time period during which the link is valid can be specified in hours by the Reset password interval setting.

When users click the link in the e‑mail, they will be redirected to the default ~/CMSModules/Membership/CMSPages/ResetPassword.aspx system page, where they will be able to enter a new password. The URL of the link contains a token in its query string that automatically identifies the user whose password should be changed. After someone visits the link, it becomes invalid and cannot be accessed again.

If you wish to use a custom page for this purpose, simply create a new page on the website and place the Reset password web part on it. This web part displays a form with the same functionality as described above for the ResetPassword.aspx system page. After you create the page, enter its URL into the Reset password page URL website setting, or into the same property of individual Logon form web parts.

If the Send email with reset password setting is enabled, users will receive another e‑mail containing their new password once they successfully reset it.

Info

Recovering administrator password

If you happen to lose the password for your administrator account and cannot access the management interface, you can use on of the following techniques to recover:

  • Reset password via web.config key - insert the following key to the appSettings section of your web.config:

    Code Block
    languagehtml/xml
    <add key="CMSAdminEmergencyReset" value="<your username>;<your new password>;[true/false]" />

     

    • The first and second parameter specifies your user name and your new password, delimited by a semicolon. The third parameter is optional and indicates whether you want to create a new user with global administrator rights.

    • The key will be automatically deleted after you gain access to the user interface.

  • Clear password in database - find your user record in the CMS_User table and clear the contents of the UserPassword column. Then sign in to the administration interface with a blank password and set a new password.

Password recovery e‑mail templates

The e‑mails sent to users during the password retrieval process are based on E-mail templates, which can be found in Site manager -> Administration -> Email templates. The following password‑related templates are available:

  • Membership - Forgotten password - sent to users when they use the password recovery feature and the Reset password requires email approval setting is disabled.
  • Membership - Change password request - sent as a reply to password recovery requests if Reset password requires email approval is enabled.
  • Membership - Changed password - sent to users if their password is changed by an administrator, either manually or by generating a new one.
  • Membership - Resend password - used if the current password information is sent to a user from the administration interface (this can only be done if passwords are stored in plain text format).

These templates can be edited as needed, so you may fully customize the content of the e‑mails. You can enter the following context macros to include dynamic values in their text:

  • {% UserName %} - the name of the user's account. If you are using site prefixes for user names, all occurrences of this macro in e‑mail templates can have the prefix trimmed out with the following method: {%TrimSitePrefix(UserName)%}
  • {% Password %} - the current (new) password of the given user.
  • {% LogonURL %} - returns the URL of the page where the retrieval password request was submitted. Only available in the Forgotten password template.

The two macros below are available specifically in the Change password request template:

  • {% ResetPasswordURL %} - resolves into the URL of the page where the user can change their password.
  • {% CancelURL %} - returns the URL of a page that will cancel the request when opened. This can be used to create links that users can click in situations where someone else requested a new password for their user account (either intentionally or accidentally).

In addition to the special macros listed above, you can also use all other standard macro expressions in the templates. See the Macro expressions chapter for more information about macro expressions in Kentico CMS.