Administration: Set password requirements

1. In the main menu, click Administration » Settings.
   The Basic Settings page appears.
2. Click Advanced.
   The Settings page appears.
3. In left menu click Security » Membership Providers.
4. Click the provider that you want to configure and then click Parameters. All parameters appear.
5. Choose the format in which passwords are saved, click passwordFormat property on the left.
   In Value input field, enter one of the following:
   • Clear
     Passwords are not encrypted.
   • Hashed
     Passwords are encrypted one-way using a hashing algorithm.
   • Encrypted
     Passwords are encrypted.

You can enable users to reset their passwords in case they forgot them. Users receive an email message with a new password.

PREREQUISITES: To enable Sitefinity CMS to send e-mails, you must have configured the SMTP settings. For more information, see Administration: Configure SMTP settings.

1. Navigate to Security » Membership Providers » Default (or any applicable provider) » Parameters.
2. To enable or disable users to reset their password, click enablePasswordReset.
3. In the Value input field, enter true to enable or false to disable the users to reset their passwords.
4. Click Save changes.
   By default, password recovery is disabled.
5. Click recoveryMailAddress and in Value, enter the email that will appear when the new password is sent to the user.
6. Click Save changes.
   By default, there is no value set as recovery email, if you do not set it, password recovery will not work.
7. Click recoveryMailBody and, in case you do not want the username to appear together with the password, in theValue input field, delete <br />User Name: <%\s*UserName\s*%>.
8. Click Save changes.
9. Click recoveryMailSubject and in Value, enter the subject that is displayed when the new password is sent to the user.
10. Click Save changes.

When working with forms-based authentication, you can configure password retrieval, so that users who forgot their passwords can receive them in an email message.

NOTE: If you are working with claims-based authentication, you cannot configure password retrieval.

PREREQUISITES: To enable Sitefinity CMS to send e-mails, you must have configured the SMTP settings. For more information, see Administration: Configure SMTP settings.

 To configure password retrieval:

1. Navigate to Administration » Settings » User Authentication.
2. Expand the dropdown menu and select Forms authentication (backward compatibility).
   Click Save changes. 
3. Click Advanced to proceed to the advanced settings.
4. Navigate to Security » Membership Providers » Default (or any applicable provider) » Parameters.
5. Setup the following parameters:
• recoveryMailAddress
  Enter a valid email address that is used by Sitefinity CMS as the From: <email address> that is displayed in the password recovery email message. Save the changes.

  IMPORTANT: If you are using a custom membership provider inheriting from the ASP.NET membership provider (MembershipDataProvider class), the recoveryMailAddress is returned as String.Empty, indicating that the user password cannot be reset. To resolve this issue, specify recoveryMailAddress in the appSettings node in web.config:

• enablePassword Retrieval
  Set the property to true.

  IMPORTANT: You must not set the enablePasswordRetrieval property to true when the enablePasswordReset is also set to true. The defaultpasswordFormat for the default membership provider is Hashed. Since hashed passwords cannot be retrieved, Sitefinity CMS has to reset the password and send a new one. If you want to retrieve the current password, you must set the passwordFormatEncrypted or Clear.

6. Restart the application.