You can hide the button by adding the following key to the /configuration/appSettings section of your web.config file:
<add key="CMSShowForgottenPassLink" value="false" />
On the live site, users can recover their password through Logon form web parts that have their Allow forgotten password retrieval property enabled.
When submitting the request, users can either type in their user name or e‑mail address:
Password recovery e‑mails are sent from the address specified in the Send password e-mails from setting in Site Manager -> Settings -> Security & Membership -> Passwords.
Depending on the value of the Reset password requires e‑mail approval setting, one of two possible password recovery modes will be used:
If the Reset password requires e‑mail approval setting is disabled, then users who request their password will receive an e‑mail containing the password directly.
If the current password format is plain text, the existing password will be sent to the user. If an encrypted password format is used, the system will generate a new password for the user.
If the Reset password requires e‑mail approval setting is enabled, several steps will be added to the process.
This option is recommended, as it is more secure than the previous option. When the Reset password requires e‑mail approval setting is disabled, then an attacker can easily lock other users' accounts by guessing their user names and using the forgotten password retrieval function.
Users who submit a password recovery request through a logon form will first receive an e‑mail containing a link to a page where they can manually set a new password. This option is more secure, because the password cannot be read from the e‑mail by potential attackers. Also, the reset link is only valid temporarily. The time period during which the link is valid can be specified in hours by the Reset password interval setting.
When users click the link in the e‑mail, they will be redirected to the default ~/CMSModules/Membership/CMSPages/ResetPassword.aspx system page, where they will be able to enter a new password. The URL of the link contains a token in its query string that automatically identifies the user whose password should be changed. After someone visits the link, it becomes invalid and cannot be accessed again.
If you wish to use a custom page for this purpose, simply create a new page on the website and place the Reset password web part on it. This web part displays a form with the same functionality as described above for the ResetPassword.aspx system page. After you create the page, enter its URL into the Reset password page URL website setting, or into the same property of individual Logon form web parts.
If the Send e‑mail with reset password setting is enabled, users will receive another e‑mail containing their new password once they successfully reset it.
Recovering administrator password
If you happen to lose the password for your administrator account and cannot access the management interface, you can use on of the following techniques to recover:
The e‑mails sent to users during the password retrieval process are based on, which can be found in Site manager -> Administration -> E‑mail templates. The following password‑related templates are available:
These templates can be edited as needed, so you may fully customize the content of the e‑mails. You can enter the following contextto include dynamic values in their text:
The two macros below are available specifically in the Change password request template:
In addition to the special macros listed above, you can also use all other standard macro expressions in the templates. See the Macro expressions chapter for more information about macro expressions in Kentico CMS.