The Store administrator can set up a password policy for a store. The policy includes password combination, lockout, history and expiration. The lockout, history and expiration policy are enforced in the Storefront Login page where the customer is asked to enter a password in order to log in to the application. The password combination is enforced only when registering or updating the password.
To define the Storefront password policy:
1. In the Store Setup page, select the Permissions tab.
2. In the Password Policy section, under Password expires, define the password expiry:
– Select Never if you do not want to enforce periodic password renewal.
– Select After ... days if you want to enforce periodic password renewal, and enter the number of days after which the login password will expire.
3. Select the Enforce password format checkbox to determine rules for password composition:
– Minimum characters: Enter the minimum number of characters allowed in a password.
– Maximum characters: Enter the maximum number of characters allowed in a password.
– Minimum Lower Case characters: Enter the minimum number of lower case characters required in a password. This setting is valid for Latin characters only.
– Minimum Upper Case characters: Enter the minimum number of upper case characters required in a password. This setting is valid for Latin characters only.
– Minimum Numeric Characters: Enter the minimum number of numeric characters required in a password.
– Minimum Non-Alpha Numeric Characters: Enter the minimum number of numeric characters (for example, !@#$%^&*())required in a password.
– No reuse of historical passwords for ... password renewals: Enter the number of password renewals during which the customer cannot reuse the password. For example, if you enter "3", the customer will not be able to use his current password during the next three password renewals.
– Password must not contain user name or email: Select this checkbox if you want to block passwords containing user name or email. Neither an entire email address nor parts of it (for example, only the person name or the company name) are accepted. This ensures a higher password security.
4. Select the Enforce account lockout checkbox to lock out an account when someone tries to log on unsuccessfully several times in a row. Note that the account lockout is per user and not per user and store.
– Account locked after...invalid logon attempts: Enter the number of invalid logon attempts after which the account will be locked.
CAPTCHA will appear for the last sign-in attempt. For example, if you've defined the number of failed sign-in attempts that will cause a user account to be locked to be 5, CAPTCHA will appear on the 5th attempt.
– Lockout counter reset: ...minutes after last logon attempt: Enter the number of minutes after which the locked account will be unlocked.
Once the account is locked, the Store administrator can manually unlock the user, by clearing the User is locked out checkbox in the User Setup page.
If
you do not enter a value into one of the Password Policy text boxes, the
empty policy will not be enforced during password validation process.