The Password Reset in Magento 2 feature forces the admin users to reset the password once in 90 days by default. Resetting the password frequently is indeed a good practice as it enhances the security of the site from being compromised due to attacks like brute force attacks. In production environment it is very much recommended to reset the administrator password frequently and hence do not disable this password reset feature in Magento 2 sites that are in production instance.
While it is recommended to reset the password frequently, this is a bit annoying to work with in the development environments. Especially development instances that are setup in local machine wouldn’t require to reset the password once in every 90 days. Developers would require to frequently switch between the frontend of the site and admin panel and login more frequently into the admin panel while performing the development work. Hence it would be better to disable this feature in the local development environment and below are the steps to configure the same.
Steps to Disable Admin Password Reset in Magento 2 Admin Panel:
- Login to the Magento 2 Admin Panel.
- Navigate to Stores -> Settings -> Configuration.
- Click open Advanced in the left menu and click on the Admin menu item in it.
- Click open the Security group and provide empty (no value) value in the Password Lifetime (days) field like show below
- Click on the Save Config button on the top right.
Steps to Disable in Magento 2 CLI:
Navigate to the document root of the Magento 2 instance and enter the following command:
php bin/magento config:set admin/security/password_lifetime 0
To adjust the password lifetime days:
php bin/magento config:set admin/security/password_lifetime 100
To configure Magento 2 to not force password change but only recommend the password change:
php bin/magento config:set admin/security/password_is_forced 0
Here 0 = Recommended and 1 = Forced password reset.
