CMS 10.6 Configuring Password Rules


Prerequisites: CMS 10.6 must be installed. See CMS Statistics to check your version.

System administrators can stengthen user account passwords by setting rules in the Ingeniux CMS 10.6 local-membership.config file.

Configuration differs by CMS site version. Follow the steps for your version.

CMS 10.6.492 Steps

To configure user account password rules in CMS 10.6.492local-membership.config:
  1. Navigate to the local-membership.config file in your CMS site [Drive:]\[path-to-cms-site-instance] folder.
  2. Open local-membership.config in a text editor.
    CMS 10.6.492 local-membership.config example
    <?xml version="1.0" encoding="utf-8"?>
    <membership defaultProvider="IngeniuxMembershipProvider">
        <providers>
            <clear />
            <!-- ... -->
            <add name="IngeniuxMembershipProvider" type="RavenDBMembership.Provider.RavenDBMembershipProvider" connectionStringName="IGXDBConnectionString"
            applicationName="IngeniuxCMS" enablePasswordReset="true" passwordFormat="Hashed" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
            minRequiredNonAlphanumericCharacters="0" minRequiredPasswordLength="5" requiresPasswordExcludesUserInfo="false" requiresPasswordExcludesUserName="false"
            requiresPasswordExcludesDisplayName="false" minRequiredCapitalLetters="0" minRequiredNumbers="0" allowForgotPassword="true"
            requireSSLForPasswordReset="false" passwordResetTokenExpiryMinutes="15" />
            <!---->
          </providers>
    </membership>
  3. Navigate to the <add> element with the @name="IngeniuxMembershipProvider" attribute value and configure the following attributes:
    AttributeDescription
    @enablePasswordResetDetermine whether CMS administrators can reset user account passwords. Default: true.
    @minRequiredNonAlphanumericCharactersEnter the minimum number of non-alphanumeric characters required in passwords. Default: 0.
    @minRequiredPasswordLengthEnter the minimum required password length in characters. Default: 5.
    @minRequiredCapitalLetters

    Enter the minimum number of capital letters required in passwords. Default: 0.

    @minRequiredNumbersEnter the minimum number of numerals required in passwords. Default: 0.
    @passwordResetTokenExpiryMinutes

    Enter how long in minutes the reset token remains valid before it expires. Default: 15.

    @allowForgotPasswordDetermine whether CMS users can reset their own passwords. If true, users can use the self-service reset option. If false, only administrators can reset them. Default: true.
    @requireSSLForPasswordReset

    Determine whether password reset emails require Secure Sockets Layer (SSL) encryption. If your SMTP server does not require SSL, set this setting to false. Default: true (strongly recommend).

  4. Save your changes to local-membership.config.
  5. Recycle the CMS instance application pool:
    1. Open Internet Information Services Manager (IIS) and navigate to the CMS instance's application pool.
    2. Right-click the application pool, and click Recycle.
      The CMS instance recycles.

CMS 10.6.308–10.6.378 Steps

To configure user account password rules in CMS 10.6.308–10.6.378 local-membership.config:
  1. Navigate to the local-membership.config file in your CMS site [Drive:]\[path-to-cms-site-instance] folder.
  2. Open local-membership.config in a text editor.
    CMS 10.6.308–10.6.378 local-membership.config example
    <?xml version="1.0" encoding="utf-8"?>
    <membership defaultProvider="IngeniuxMembershipProvider">
        <providers>
            <clear/>
            <!-- ... -->
            <add name="IngeniuxMembershipProvider"
                type="RavenDBMembership.Provider.RavenDBMembershipProvider"
                connectionStringName="IGXDBConnectionString" applicationName="IngeniuxCMS"
                enablePasswordRetrieval="true" enablePasswordReset="true"
                requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
                minRequiredNonAlphanumericCharacters="0" minRequiredPasswordLength="5"
                requiresPasswordExcludesUserInfo="false" requiresPasswordExcludesUserName="false"
                requiresPasswordExcludesDisplayName="false" minRequiredCapitalLetters="0"
                minRequiredNumbers="0" passwordFormat="Encrypted" maxInvalidPasswordAttempts="50000"
                passwordAttemptWindow="10"/>
            <!---->
        </providers>
    </membership>
  3. Navigate to the <add> element with the @name="IngeniuxMembershipProvider" attribute value and configure the following attributes:
    AttributeDescription
    @enablePasswordRetrievalDetermine whether CMS users can retrieve their own passwords. If true, users can use the self-service retrieval option. If false, only administrators can reset them. Default: true.
    @requiresQuestionAndAnswerDetermine whether the CMS requires users to correctly answer a security question before retrieving their own passwords.
    @enablePasswordResetDetermine whether CMS administrators can reset user account passwords. Default: true.
    @minRequiredNonAlphanumericCharactersEnter the minimum number of non-alphanumeric characters required in passwords. Default: 0.
    @minRequiredPasswordLengthEnter the minimum required password length in characters. Default: 5.
    @minRequiredCapitalLettersEnter the minimum number of capital letters required in passwords. Default: 0.
    @minRequiredNumbersEnter the minimum number of numerals required in passwords. Default: 0.
    @maxInvalidPasswordAttemptsEnter the maximum number of password attempts allowed before the CMS locks users out of their accounts. Default: 50000.

    Locked-out users can contact administrators for password reset assistance.

    @passwordStrengthRegularExpressionEnter a regular expression (regex) string for password requirements.

    Example:

    (?=(.*[0-9]){2,})(?=(.*[#$@!%&*?]){2,})(?=(.*[A-Z]){2,}).{8,}

    This example requires passwords to have at least eight characters, including two or more capital letters, numbers, and special characters.

    Important
    This regex setting overrides all other password complexity settings.

  4. Save your changes to local-membership.config.
  5. Recycle the CMS instance application pool:
    1. Open Internet Information Services Manager (IIS) and navigate to the CMS instance's application pool.
    2. Right-click the application pool, and click Recycle.
      The CMS instance recycles.