Password Reset
This page describes the email-based password reset workflow in xAssets. Password reset allows database-authenticated users to regain access to their account without contacting an administrator, while also giving administrators a manual reset option when needed.
Note: Password reset applies only to database authentication. SSO and Windows Authentication users reset their passwords through their identity provider or Active Directory respectively.
Prerequisites
- A working SMTP email configuration in xAssets (for self-service reset)
- Users must have a valid email address on their Custodian record
- Administrator access to xAssets (for administrator-initiated resets)
Self-Service Password Reset (User Flow)
When a user forgets their password, they can reset it through the login page:
- On the xAssets login page, the user clicks the Forgot Password link (or similar).
- The user enters their username or email address.
- xAssets looks up the user's Custodian record and sends a password reset email to the address on file.
- The user opens the email and clicks the Reset Password link.
- The link opens a page where the user enters a new password.
- The new password must meet the password complexity requirements.
- Once a valid password is entered and confirmed, the password is updated and the user can log in.
Important: The reset link is time-limited. If the user does not click the link within the expiry window, they must request a new reset email.
Security of the Reset Process
| Feature | Description |
|---|---|
| Time-limited link | Reset links expire after a configured period. Expired links cannot be used. |
| Single use | Each reset link can only be used once. After the password is changed, the link is invalidated. |
| No account confirmation | If the username or email address does not match a user record, the system does not reveal this. The user sees a generic "If an account exists, a reset email has been sent" message. This prevents account enumeration. |
| Complexity enforced | The new password must meet all password complexity requirements. |
Administrator-Initiated Password Reset
Administrators can reset a user's password directly:
- Navigate to Admin > Users.
- Find and open the user's record.
- Enter a new password in the Password field.
- Save the record.
- Communicate the new password to the user through a secure channel.
Tip: After an administrator sets a temporary password, ask the user to change it immediately on their next login. This ensures the administrator does not retain knowledge of the user's active password.
Configuring the Reset Email
The password reset email can be customised to match your organisation's branding and communication style:
Key elements of the reset email:
- Sender address -- uses the SMTP configuration in xAssets settings
- Subject line -- indicates a password reset request
- Body -- contains a brief message and the reset link
- Expiry notice -- informs the user how long the link remains valid
SMTP Configuration
For the self-service password reset to work, xAssets must be able to send email. Ensure the following are configured in Admin > Settings:
| Setting | Description |
|---|---|
| SMTP Server | The hostname or IP address of your mail server |
| SMTP Port | The port for SMTP connections (typically 25, 587 for TLS, or 465 for SSL) |
| SMTP Authentication | Username and password if your mail server requires authentication |
| Sender Email | The "From" address for system-generated emails |
If SMTP is not configured, the self-service reset option will not function and users must contact an administrator.
What Happens When the Reset Link Expires
If a user clicks an expired reset link:
- The system displays a message indicating the link has expired.
- The user is directed to request a new reset email.
- No password change occurs.
- The expiry is logged for security auditing.
Troubleshooting
| Problem | Cause | Solution |
|---|---|---|
| User never receives reset email | SMTP not configured, email address invalid, or email caught by spam filter | Verify SMTP settings. Check the user's Custodian email address. Ask the user to check spam/junk folders. |
| Reset link shows "expired" | Too much time passed between requesting and clicking the link | Request a new reset email. |
| Reset link shows "already used" | The link was already used to reset the password | If the user did not use it, a security incident may have occurred. The administrator should reset the password manually and investigate. |
| New password rejected | Password does not meet complexity requirements | Enter a password that meets all requirements (see Password Complexity). |
| "Forgot Password" link not visible on login page | Feature may be disabled or not configured | Check xAssets settings for the password reset feature toggle. |
Security Recommendations
- Monitor reset requests. A sudden spike in password reset requests may indicate a credential stuffing attack or phishing campaign.
- Use MFA. Password reset restores access but does not protect against future compromises. Enable multi-factor authentication for an additional security layer.
- Educate users. Remind users that legitimate password reset emails come only from your configured sender address and are only sent when they request one.
Related Articles
- Password Complexity -- requirements for new passwords
- Users -- managing user accounts and setting passwords
- Multi-factor Authentication -- adding MFA as an additional security layer
- Settings -- SMTP and password reset configuration
- User Logon History -- tracking login and reset activity