When you setup Sitecore security, you should also consider how you want to set up the password policy, such as the minimum length and strength of your users' passwords and if you want to allow users who forget their password to request a new password in an email message.
This topic describes how to
Specify your password policy
The security architect can specify the password policy to be enforced on your website. The parameters that can be specified include the length and strength of the passwords that users must use, as well as the number of times that a user can enter an incorrect password before they are locked out.
To specify the password policy:
- In Windows Explorer, browse to the folder where the website is stored, typically,
- Open the
Web.configfile in Notepad and scroll down to the following section:
- Edit the following properties:
The minimum number of characters that a password must contain.
The minimum number of non-alphanumeric characters that a password must contain.
Non-alphanumeric characters are any characters that do not contain the value of a number or a letter, for example, !@#$%&*()
Default value = 0.
The maximum number of times that a user can enter an incorrect password before their security account is locked out.
Enable the forgotten password functionality
You must also edit the
Sitecore.config file to enable Sitecore to send an email message to users who use the Forgot Your Password functionality and request to receive a new password in an email message.
To enable the Forgot Your Password functionality:
- Open the
Sitecore.configfile in Notepad.
- Scroll down to the following section:
<!-- MAIL SERVER
SMTP server used for sending mails by the Sitecore server
Is used by MainUtil.SendMail()
<setting name="MailServer" value="mail.server.net" />
<!-- MAIL SERVER USER
If the SMTP server requires login, enter the user name in this setting
<setting name="MailServerUserName" value="" />
<!-- MAIL SERVER PASSWORD
If the SMTP server requires login, enter the password in this setting
<setting name="MailServerPassword" value="" />
<!-- MAIL SERVER PORT
If the SMTP server requires a custom port number, enter the value in this setting.
The default value is: 25
<setting name="MailServerPort" value="25" />
- Enter the address of your mail server in the
<setting name="MailServer" value="" />section.
- Save your changes.
You need to change the sender of the Forgot your Password email to a valid email address. You can also the subject and content of the email. To do this, follow these steps:
- Log in to Sitecore as an administrator.
- In the Launchpad, open the Desktop, and select the Core database.
- In the Content Editor, navigate to /sitecore/system/Settings/Security/Password recovery/Password Recovery Email.
- Enter a valid email address in the Sender email address field, and change the other fields as you need..
You must configure your SMTP server to allow emails to be sent from the email address you specified as the Sender email address.