• 10.0.0 - 10.0.26
    541 201 9965 Email Website
  • Contents
    Search:
     

    Home > Setup & Configuration > Password Information

    Password Information

    General Password Information

    Customers and admin users have some special requirements and procedures regarding account security. Some things to keep in mind regarding accounts and signing in:
    • Administrators must periodically change their password. This cannot be disabled entirely, but the frequency of this required change can be adjusted with the AdminPwdChangeDays Setting. 90 days is the minimum required by PCI DSS standards.
    • After a certain number of failed login attempts (3 by default and 6 is PCI DSS max, controlled by the MaxBadLogins Setting), user accounts are temporarily locked out. The length of time of the lockout (30 minutes by default is PCI DSS standard minimum) can be adjusted with the BadLoginLockTimeOut Setting.
    • By default, customers are not required to use complex passwords with special characters like admin users are. That can be changed by setting the UseStrongPwd Setting to Yes.
    • By default, admin passwords must be at least 8 characters long and include at least one upper case character, one lower case character, one number, and one of these characters ~`!@#$%^&*()_+=[]{}|\';\":|/?
    • The required password format for admin users (and customers if using the special rule described above) can be changed by altering the CustomerPwdValidator Setting.
    • Old admin passwords are stored to prevent admins from reusing the same password when a change is required. The NumPreviouslyUsedPwds Setting determines how many previous passwords are saved. PCI DSS requires no less than 4
    • By default, users are forced to log in again after 15 minutes of sitting idle on the site. This functionality required by the PCI DSS standard. The SessionTimeoutInMinutes setting (for shoppers) and the AdminSessionTimeoutInMinutes setting (for admin users) control the duration.
    • Best practice says to create at least one backup Super Admin user account (different email) to assist with password reset issues.
    • NOTE: Browser password autocomplete can no longer be disabled on email & password fields throughout the application by setting the DisablePasswordAutocomplete Setting to true in V10+ versions, as the capability has been deprecated by the common browsers. You may get a notification of an 'action item' in PCI scans. You can ignore this recommendation (this is not necessary to pass the PCI scan).

    Forgot Password Reset Procedure for versions 10.0.25+

    Important: The Forgot Password feature relies on properly-configured email. If your store is not properly configured to send emails, the Forgot Password feature will not appear on login pages.

    ​In the event that you lose your password and have a functional email configuration in your site, you can use the "Forgot Your Password?" feature on the signin pages of your site.

    • The password reset system has been redesigned to make it safer, easier, and faster for customers to access their accounts.
    • Security is provided in the form of an alphanumeric key to provide a starting point for the generation of a security token. There is a new setting (Configuration - Settings - JwtKey ) in the admin console to configure a unique key for your site.
    • In addition to providing more security for the customer, the new system also has some security benefits for store owners. The password reset request page will include a reCaptcha verification if one has been configured. This should mitigate the possibility of automated code/robots spamming the new system with requests.
    • The new system sees the customer beginning their account recovery at what should be a simple and familiar 'Forgot your password?' link on the sign-in page.

    ​​

    • After providing their email address (assuming that the provided email address is associated with an active registered account) a password reset email will be sent to the relevant customer account email.

    ​​

    • After receiving this email, a customer has simply to click the link in the email, create a new password on the site, and complete the login. There is no longer a need for a temporary password.

    ​​

      ​

     

    Forgot Password Reset Procedure for versions 10.0.24 and older

    Important: The Forgot Password feature relies on properly-configured email. If your store is not properly configured to send emails, the Forgot Password feature will not appear on login pages.

    In the event that you lose your password and have a functional email configuration in your site, you can use the "Forgot Your Password?" feature on the signin pages of your site.

    • If you do not have a functional email configuration in the site, use this method to reset your password, which requires direct database access. Consult your site host if necessary.
    • If you are getting looped back to the admin sign in page with no error, refer to this article.

    Procedure

    1. Access the /signin.aspx page on your site ( www.yoursite.com/signin.aspx or www.yoursite.com/youradmin/ WITHOUT the signin.aspx if you are an admin user).
    2. Enter your account email address in the field labeled *My e-mail address is: and click the Request a New Password button.
    3. Check your email Inbox for the temporary password generated by the site.
    4. Access the /signin.aspx page on your site again (there is a link in the email you received) or your admin URL for admin users, and login using your account email and the temporary password. NOTE: On occasion the temporary password can contain invalid characters. If it fails to log you in after a couple attempts, retry the Forgot Your Password? to generate a new one. Repeat until you get a valid password.
    5. The site will request that you change your password at this time. Please remember to use the temporary password for the Old Password field, and not your previous password or any auto saved passwords.

    You will be all set once you have properly completed the password change sequence.

    The password change feature, required after performing a Forgot your Password? sequence, can be confusing when autocomplete pre-fills the Old Password field. The correct password to enter is the temp password received in the email.



    Actions
    Print This Article
    Bookmark
    Email This Article
    Previous Article
    Next Article