Forgotten password

If users forget their password, they may retrieve or reset it, provided they have access to the email address specified for their account. A password may be recovered by submitting a request through one of the website’s logon forms.

Note: Resetting of passwords is not possible for external users (for example Active Directory users created using Mixed-mode Windows authentication).

By default, a Forgotten password link is included on the logon page of the administration interface.

You can hide the link by adding the following key to the /configuration/appSettings section of your web.config file:




<add key="CMSShowForgottenPassLink" value="false" />


On the live site, users can recover their password through Logon form web parts that have their Allow forgotten password retrieval property enabled.

Recovering a password through the Logon form web part

When submitting the request, users can either type in their user name or email address:

  • If a user name is entered, the recovery email will be sent to the given account’s address.
  • If an email address is used, the request will affect the password of the user account with the corresponding address.
    • If the entered email address does not correspond to any registered user, email will not be sent.

Password recovery emails are sent from the address specified in the Send password emails from setting in Settings -> Security & Membership -> Passwords.

Depending on the value of the Reset password requires email approval setting, one of two possible password recovery modes will be used:

  • Password reset without email approval
  • Password reset with email approval

Password reset without email approval

If the Reset password requires email approval setting is disabled, then users who request their password receive an email containing the password directly.

If the current password format is plain text, the existing password is sent to the user. If a secured password format is used, the system generates a new password for the user.

Password reset with email approval

If the Reset password requires email approval setting is enabled, the system adds several steps to the password recovery process.

Using password resets with email approval is recommended, as it provides the following security benefits and features:

  • Attackers cannot lock the accounts of other users by guessing their user names and using the forgotten password recovery function.
  • Passwords cannot be read from the email by potential attackers.
  • The reset links are only valid temporarily. The time period during which the links are valid can be specified in hours via the Reset password interval setting.
  • After someone uses a password reset link, it becomes invalid and cannot be accessed again.
Note: Certain types of web filtering software may interfere with password reset links. If an automatic tool accesses the password reset page before it is opened by the actual user’s client, the password recovery request will be invalid.

Users who submit a password recovery request through a logon form first receive an email containing a link.

When users click the link in the email, they are redirected to the default ~/CMSModules/Membership/CMSPages/ResetPassword.aspx system page, where they can set a new password. The URL of the link contains a token in its query string that automatically identifies the user whose password should be changed.

If you wish to use a custom page for this purpose, simply create a new page on the website and place the Reset password web part on it. This web part displays a form with the same functionality as described above for the ResetPassword.aspx system page. After you create the page, enter its URL into the Reset password page URL website setting, or into the same property of individual Logon form web parts.

If the Send email with reset password setting is enabled, users receive another email containing their new password once they successfully reset it.

Recovering administrator password

If you happen to lose the password for your administrator account and cannot access the administration interface, you can use on of the following techniques to recover:

  • Reset password via web.config key - insert the CMSAdminEmergencyReset key to the appSettings section of your web.config. For example:

    
    
    
      <add key="CMSAdminEmergencyReset" value="admin;password;true" />
    
    
      
    • admin - this value specifies the user name of the new account.
    • password - this value specifies the password for the new account – you should change it to your own value.
    • The third parameter is optional and indicates whether you want to create a new user with the Global administrator privilege level.
    • The key will be automatically deleted after you gain access to the user interface.
  • Clear password in database - find your user record in the CMS_User table and clear the contents of the UserPassword column. Then sign in to the administration interface with a blank password and set a new password.

Password recovery email templates

The emails sent to users during the password retrieval process are based on Email templates, which can be found in the Email templates application. The following password‑related templates are available:

  • Membership - Forgotten password - sent to users when they use the password recovery feature and the Reset password requires email approval setting is disabled.
  • Membership - Change password request - sent as a reply to password recovery requests if Reset password requires email approval is enabled.
  • Membership - Changed password - sent to users if their password is changed by an administrator, either manually or by generating a new one.
  • Membership - Resend password - used if the current password information is sent to a user from the administration interface (this can only be done if passwords are stored in plain text format).

These templates can be edited as needed, so you may fully customize the content of the emails. You can enter the following context macros to include dynamic values in the template text:

  • {% UserName %} - the name of the user’s account. If you are using site prefixes for user names, all occurrences of this macro in email templates can have the prefix trimmed out with the following method: {%TrimSitePrefix(UserName)%}
  • {% Password %} - the current (new) password of the given user.
  • {% LogonURL %} - returns the URL of the page where the retrieval password request was submitted. Only available in the Forgotten password template.

The above macros are NOT available in the Change password request template. Instead, you can use the following expressions:

  • {% ResetPasswordURL %} - resolves into the URL of the page where the user can change their password.
  • {% CancelURL %} - returns the URL of a page that will cancel the request when opened. This can be used to create links that users can click in situations where someone else requested a new password for their user account (either intentionally or accidentally).
  • {% User %} - allows you to access the properties of the user who sent the change password request, for example: {% TrimSitePrefix(User.UserName) %}

In addition to the special macros listed above, you can also use all other standard macro expressions in the templates. See the Macro expressions chapter for more information about macro expressions in Kentico.