Magento Open Source 2.2.x
Password Options

The customer password options control the level of security that is used for password reset requests, and determines the email templates that are used for customer notification, and the lifetime of the password recovery link. You can allow customers to change their own passwords, or require that only store administrators can do so

To configure customer password options:

1. On the Admin sidebar, tap Stores. Then under Settings, choose Configuration.
2. In the panel on the left under Customers, choose Customer Configuration. Then, expand the Password Options section.
3. Set Password Reset Protection Type to the method you want to use for managing password reset requests:
  • By IP and Email

    The password can be reset online after a response is received from a reset notification sent to the email address associated with the Admin account.

    By IP

    The password can be reset online without additional confirmation.

    By Email

    The password can be reset only by responding to an email notification that is sent to the email address associated with the Admin account.

    None

    The password can be reset only by the store administrator.

4. To limit the number of password reset requests sent per hour, do the following:
a. In the Max Number of Password Reset Requests field, enter the maximum number of password reset requests that can be sent per hour.
b. In the Min Time Between Password Reset Requests field, enter the minimum number of minutes that must elapse between requests.
5. To configure the password reset email notification, do the following:
a. Set Forgot Email Template to the template that is used for the email sent to customers who have forgotten their passwords.
b. Set Remind Email Template to the template that is used when a password hint is sent to customers.
c. Set Reset Password Template to the template that is used when customers change their passwords.
d. Set Password Template Email Sender to the store contact that appears as the sender of password-related notifications.
6. Complete the following password reset security options:
a. In the Recovery Link Expiration Period (hours) field, enter the number of hours before the password recovery link expires.
b. In the Number of Required Character Classes field, enter the number of different character types that must be included in a password, based on the following character classes:
  • Lowercase
  • Uppercase
  • Numeric
  • Special Characters
c. In the Maximum Login  Failures to Lockout Account field, enter the number of failed login attempts until the Admin account is locked. For unlimited attempts, enter zero (0).
d. In the Minimum Password Length field, enter the minimum number of characters that can be used in a password. The number must be greater than zero.
e. In the Lockout Time (minutes) field, enter the number of minutes an Admin account is locked after too many failed attempts to log in.
7. When complete, tap Save Config.