CMS 10.6 Configuring Password Rules
System administrators can stengthen user account passwords by setting rules in the Ingeniux CMS 10.6 local-membership.config file.
Configuration differs by CMS site version. Follow the steps for your version.
CMS 10.6.492 Steps
- Navigate to the local-membership.config file in your CMS site [Drive:]\[path-to-cms-site-instance] folder.
- Open local-membership.config in a text editor.
<?xml version="1.0" encoding="utf-8"?> <membership defaultProvider="IngeniuxMembershipProvider"> <providers> <clear /> <!-- ... --> <add name="IngeniuxMembershipProvider" type="RavenDBMembership.Provider.RavenDBMembershipProvider" connectionStringName="IGXDBConnectionString" applicationName="IngeniuxCMS" enablePasswordReset="true" passwordFormat="Hashed" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" minRequiredNonAlphanumericCharacters="0" minRequiredPasswordLength="5" requiresPasswordExcludesUserInfo="false" requiresPasswordExcludesUserName="false" requiresPasswordExcludesDisplayName="false" minRequiredCapitalLetters="0" minRequiredNumbers="0" allowForgotPassword="true" requireSSLForPasswordReset="false" passwordResetTokenExpiryMinutes="15" /> <!----> </providers> </membership> - Navigate to the
<add>element with the@name="IngeniuxMembershipProvider"attribute value and configure the following attributes:Attribute Description @enablePasswordResetDetermine whether CMS administrators can reset user account passwords. Default: true. @minRequiredNonAlphanumericCharactersEnter the minimum number of non-alphanumeric characters required in passwords. Default: 0. @minRequiredPasswordLengthEnter the minimum required password length in characters. Default: 5. @minRequiredCapitalLettersEnter the minimum number of capital letters required in passwords. Default: 0.
@minRequiredNumbersEnter the minimum number of numerals required in passwords. Default: 0. @passwordResetTokenExpiryMinutesEnter how long in minutes the reset token remains valid before it expires. Default: 15.
@allowForgotPasswordDetermine whether CMS users can reset their own passwords. If true, users can use the self-service reset option. If false, only administrators can reset them. Default: true. @requireSSLForPasswordResetDetermine whether password reset emails require Secure Sockets Layer (SSL) encryption. If your SMTP server does not require SSL, set this setting to false. Default: true (strongly recommend).
- Save your changes to local-membership.config.
- Recycle the CMS instance application pool:
- Open Internet Information Services Manager (IIS) and navigate to the CMS instance's application pool.
- Right-click the application pool, and click Recycle.The CMS instance recycles.
CMS 10.6.308–10.6.378 Steps
- Navigate to the local-membership.config file in your CMS site [Drive:]\[path-to-cms-site-instance] folder.
- Open local-membership.config in a text editor.
<?xml version="1.0" encoding="utf-8"?> <membership defaultProvider="IngeniuxMembershipProvider"> <providers> <clear/> <!-- ... --> <add name="IngeniuxMembershipProvider" type="RavenDBMembership.Provider.RavenDBMembershipProvider" connectionStringName="IGXDBConnectionString" applicationName="IngeniuxCMS" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" minRequiredNonAlphanumericCharacters="0" minRequiredPasswordLength="5" requiresPasswordExcludesUserInfo="false" requiresPasswordExcludesUserName="false" requiresPasswordExcludesDisplayName="false" minRequiredCapitalLetters="0" minRequiredNumbers="0" passwordFormat="Encrypted" maxInvalidPasswordAttempts="50000" passwordAttemptWindow="10"/> <!----> </providers> </membership> - Navigate to the
<add>element with the@name="IngeniuxMembershipProvider"attribute value and configure the following attributes:Attribute Description @enablePasswordRetrievalDetermine whether CMS users can retrieve their own passwords. If true, users can use the self-service retrieval option. If false, only administrators can reset them. Default: true. @requiresQuestionAndAnswerDetermine whether the CMS requires users to correctly answer a security question before retrieving their own passwords. @enablePasswordResetDetermine whether CMS administrators can reset user account passwords. Default: true. @minRequiredNonAlphanumericCharactersEnter the minimum number of non-alphanumeric characters required in passwords. Default: 0. @minRequiredPasswordLengthEnter the minimum required password length in characters. Default: 5. @minRequiredCapitalLettersEnter the minimum number of capital letters required in passwords. Default: 0. @minRequiredNumbersEnter the minimum number of numerals required in passwords. Default: 0. @maxInvalidPasswordAttemptsEnter the maximum number of password attempts allowed before the CMS locks users out of their accounts. Default: 50000. Locked-out users can contact administrators for password reset assistance.
@passwordStrengthRegularExpressionEnter a regular expression (regex) string for password requirements. Example:
(?=(.*[0-9]){2,})(?=(.*[#$@!%&*?]){2,})(?=(.*[A-Z]){2,}).{8,}
This example requires passwords to have at least eight characters, including two or more capital letters, numbers, and special characters.
ImportantThis regex setting overrides all other password complexity settings. - Save your changes to local-membership.config.
- Recycle the CMS instance application pool:
- Open Internet Information Services Manager (IIS) and navigate to the CMS instance's application pool.
- Right-click the application pool, and click Recycle.The CMS instance recycles.
Related Topics