Disable forced backend password change in Magento 2.X

Hungersoft has been working extensively with Magento 2 since the time it was released. We have developed and launched many M2 based webshops and even developed some amazing extensions for Magento 2 that you can find here. We like the fact that Magento 2 is growing in market-share with each passing day and is poised to become a leading E-commerce platform in near future. We are also happy to see that it is getting more secure and feature-rich. It is still not perfect yet but it indeed is getting better and smoother. Magento team has also added alot of new security features that were lacking in Magento 1. These features are not limited to architecture and code base but also extend to front-end and back-office level.

But as they say, security and convenience do not always go hand in hand. During all our M2 webshop and extension development projects, our team members had to login and logout frequently from Magento back-office. One thing that annoyed all of us initially was the fact that the M2 system forced each backoffice user to change their password regularly. And the system remembers your old passwords so you also cannot use the same one ever in future. This means that you now have to create and remember new and different passwords frequently.
This can become a minor mess over time as you keep changing to new passwords and then one day forget what the latest one was. While we fully agree and understand the security reason behind this, we believe that simply changing password does not makes it more secure. It can however make it riskier as users will tend to write their passwords down somewhere, which can be unsafe.

Did this 'forced password change feature in Magento 2.x' ever annoy you? If you have worked with a Magento 2 back-office for more than 3 months then we are sure it bothered you at-least once by now. There is a quick and easy way to disable this annoying feature. Yes, you can do it easily from Magento back-office. This can save some of your time and brain cells that can be used for doing greater things.

To disable or adjust this annoying security feature, you need to login to your Magento 2.x back-office and go to Stores > Settings > Configuration > Advanced > Admin > Security. Once this section loads, you need to scroll down and at the bottom you will see 2 fields: Password Lifetime (days) and Password Change.

From Password Lifetime (days) field, you can set the number of days a user account's password can be used before it expires. The default value is set as 90 days here. Ie. by default, the system will ask all users to change their password every 3 months. You can change the value to higher or lower number of days or you can leave it blank. Leaving it blank will disable this feature.

In the Password Change field, you have 2 options in form of a drop-down. Option 1 is 'Forced' which forces the users to change their password before it expires. If you select this option then the users have to change their password periodically or they cannot continue to use the back-office. Option 2 is “Recommended” which does not forces the users to change their password but advices them instead. They can then choose to change it or keep it the same.

We suggest you to try out these settings and see which works best for you and other backoffice users. We do not recommend to fully disable it, atleast not in live/production webshops.

Feel free to contact Hungersoft if you need any assistance with your Magento 2.X webshop. We can guide you even with big tasks as well as small details.