Manage passwords

  • Updated

Optimizely Configured Commerce provides several ways to manage user passwords.

Passwords must match already-configured settings. To change or view the password settings, go to AdministrationSettings > Account Management.

Forgot password

Users receive a link to reset their password when they click Forgot Password, which guides them through a typical workflow. Console users can reset website user passwords, and both console and website users can update their passwords independently.

By default, the Reset Password link expires after two days. To change this setting, go to Administration > Settings and edit the Emailed Password Link Valid For Days setting for Console Security or Website Security.

You can also update the message website users see when they reset their password after clicking the email link.

  1. Go to View Website and turn on the editor.
  2. Select the website.
  3. Go to the content or page tree and select the Reset Password (Spire) or Expired Reset Password Link (Classic) page.
  4. Click the Edit icon. 
  5. Edit the content as desired.
  6. Save and publish.

Console user

When a console user forgets their password, they can click Forgot Password on the Admin Console's sign-in page.

Console_ForgotPassword.png

A dialog displays for them to enter their Username.

ForgotPasswordDialog_Console.png

When they click Send Email, it sends an email with a link to reset the password. The user can click Reset Password in the email, enter a new password, confirm it, and click Reset Password. The system redirects them to the sign-in page where they can use the updated password.

If they click on the expired link, they are prompted to click Forgot Password and follow the process again.

Website user

When a website user forgets their password, they can click Forgot Password on the storefront's sign-in page.

Website_ForgotPassword.png

A dialog displays for them to enter their Username.

ForgotPasswordDialog_Website.png

When they click Send Email, it sends an email with a link to reset the password. The user can click Reset Password in the email, enter a new password, confirm it, and click Reset Password. The system redirects them to the sign-in page where they can use the updated password.

If they click on the expired link, they are prompted to click Forgot Password and follow the process again.

Update a password

In the interest of application security, users are encouraged to change their console or website password periodically.

Console user

  1. Log in to the Admin Console.
  2. Click your User Profile link in the upper right corner of the page.
  3. Click Change Password under Settings.

    Settings_ChangePassword.png

  4. Follow the password requirements to enter your new password and confirm it.

    ChangePasswordRequirements.png

  5. Click Change Password. A message displays confirming the password was successfully changed.

Website user

  1. To change your Website user password, log in to the Configured Commerce site.
  2. Hover over My Account, and select Account Settings.
  3. Click Change Password.
  4. Enter the Current Password, New Password, and Confirm New Password.

  5. Click Change Password. The next time you log in, you will need to do so using the new password.

Reset a user's password

An ISC_Admin can reset passwords for console and website users. An ISC_User can reset website user passwords.

Console user

  1. Go to Admin Console > Administration > Console Users.
  2. Click Edit for the user whose password needs to be reset.
  3. Click More (...) and select Reset Password.

    ResetPassword_Console.png

  4. Select Send Email in the modal to invalidate the user's current password and send them an email to reset their password.

Configured Commerce sends the user an email with instructions to reset their password.

Website user

Website Administrators do not have access to the Admin Console, so website users must contact your customer service department to have their user passwords reset.

  1. Go to Admin Console > Administration > Website Users.
  2. Click Edit for the user whose password needs to be reset.
  3. Click More (...) and select Reset Password.

    ResetPassword.png

  4. Select the website for the password reset, if the user has access to multiple.
  5. Select Send Email in the modal to invalidate the user's current password and send them an email to reset their password.

Configured Commerce sends the user an email with instructions to reset their password.

Timeout and lockout settings

Optimizely Configured Commerce offers several options to control the specifics of timeouts and lockouts. These settings are located in the Admin Console: Administration > Settings.

Timeout settings

Search for Site Timeout Minutes to adjust the timeout period for website users. Enter the number of minutes of user inactivity after which they are signed out and must sign back in. (Requires website restart). Default value: 15

TimeoutMessage.png

In the Admin Console, users receive a notification after 12 minutes of inactivity. After 15 minutes, they are logged out and redirected to the login page. When they sign in again, they return to where they left off.

You cannot modify the timeout period for Admin users due to PCI compliance implications.

PA-DSS compliance

PA-DSS requires a timeout of 20 minutes or less. If you accept credit card transactions, you should not override this setting in the Admin Console. Because some clients do not take credit cards as payment and rely on purchase orders, it may be necessary to adjust the time settings. However, changing timeout settings could possibly cause a site or environment to fall out of compliance with security standards such as PA-DSS.

Lockout settings

Search for Lockout Time in Minutes. By default, this setting is enabled for both Console Security and Website Security to lock out users who fail to log in successfully after a certain number of attempts.

You can set the Max Failed Attempts Before Lockout and Lockout Time in Minutes. By default, users who make five sequential failed login attempts are locked out for ten minutes. Afterward, the user has five more attempts to login. If those fail, the user is locked out for ten minutes again. This cycle repeats until they successfully log in.

Lockout.png

Password expiration

Passwords for website users do not expire. The password expires after 90 days for users with the roles ISC_Admin, ISC_System, or ISC_Integration. This expiration is set in the code and is not configurable.