• 10.0.0 - 10.0.24
    541 201 9965 Email Website
  • Contents

    Home > Setup & Configuration > Password Information

    Password Information

    General Password Information

    Customers and admin users have some special requirements and procedures regarding account security. Some things to keep in mind regarding accounts and signing in:


    • Administrators must periodically change their password. This cannot be disabled entirely, but the frequency of this required change can be adjusted with the AdminPwdChangeDays Setting. 90 days is the minimum required by PCI DSS standards.
    • After a certain number of failed login attempts (3 by default and 6 is PCI DSS max, controlled by the MaxBadLogins Setting), user accounts are temporarily locked out. The length of time of the lockout (30 minutes by default is PCI DSS standard minimum) can be adjusted with the BadLoginLockTimeOut Setting.
    • By default, customers are not required to use complex passwords with special characters like admin users are. That can be changed by setting the UseStrongPwd Setting to Yes.
    • By default, admin passwords must be at least 8 characters long and include at least one upper case character, one lower case character, one number, and one of these characters ~`!@#$%^&*()_+=[]{}|\';\":|/?
    • The required password format for admin users (and customers if using the special rule described above) can be changed by altering the CustomerPwdValidator Setting.
    • Old admin passwords are stored to prevent admins from reusing the same password when a change is required. The NumPreviouslyUsedPwds Setting determines how many previous passwords are saved. PCI DSS requires no less than 4
    • By default, users are forced to log in again after 15 minutes of sitting idle on the site. This functionality required by the PCI DSS standard. The SessionTimeoutInMinutes setting (for shoppers) and the AdminSessionTimeoutInMinutes setting (for admin users) control the duration.
    • NOTE: Browser password autocomplete can no longer be disabled on email & password fields throughout the application by setting the DisablePasswordAutocomplete Setting to true in V10+ versions, as the capability has been deprecated by the common browsers. You may get a notification of an 'action item' in PCI scans. You can ignore this recommendation (this is not necessary to pass the PCI scan).


    Forgot Password Reset Procedure

    Important: The Forgot Password feature relies on properly-configured email. If your store is not properly configured to send emails, the Forgot Password feature will not appear on login pages.

    In the event that you lose your password and have a functional email configuration in your site, you can use the "Forgot Your Password?" feature on the signin pages of your site.

    • If you are an admin user of the site, you must perform this task on the admin signin page.
    • If you do not have a functional email configuration in the site, use this method to reset your password, which requires direct database access. Consult your site host if necessary.
    • If you are getting looped back to the admin sign in page with no error, refer to this article.


    1. Access the /signin.aspx page on your site ( www.yoursite.com/signin.aspx or www.yoursite.com/youradmin/ WITHOUT the signin.aspx if you are an admin user).
    2. Enter your account email address in the field labeled *My e-mail address is: and click the Request a New Password button.
    3. Check your email Inbox for the temporary password generated by the site.
    4. Access the /signin.aspx page on your site again (there is a link in the email you received) or your admin URL for admin users, and login using your account email and the temporary password. NOTE: On occasion the temporary password can contain invalid characters. If it fails to log you in after a couple attempts, retry the Forgot Your Password? to generate a new one. Repeat until you get a valid password.
    5. The site will request that you change your password at this time. Please remember to use the temporary password for the Old Password field, and not your previous password or any auto saved passwords.

    You will be all set once you have properly completed the password change sequence.

    The password change feature, required after performing a Forgot your Password? sequence, can be confusing when autocomplete pre-fills the Old Password field. The correct password to enter is the temp password received in the email.

    Print This Article
    Email This Article
    Previous Article
    Next Article