Magento 2 – disable forced password change

In this post, I show how to disable forced password change. This new feature should improve security on your Magento 2 online shop, but for developers it is quite frustrating to change password from time to time. For our development systems, we disable it.

Magento 2 – disable forced password change

First of all you need to set a new password if you sit in front of this form. You are redirected from each adminhtml menu to this form. You have not only to set a new password, it also needs to be a new one. Magento 2 keeps track of your previously used passwords! If you try a previous one you get this nice error message:

Stop annoying me!

On all of my development systems I set Stores -> Advanced -> Admin -> Password Change to “recommended” instead of forced. It is a good idea to change a password regularly, but for me this force method is a bit too much. On development systems it is also completely unnecessary. If you want to set a high standard of security you may not change this. Another possibility is to change password lifetime from 90 days to a higher value.

Conclusion

Magento 2 has much more security features than its older version. Security is always a good idea, but I think most of this features were invented to give shop owners a good feeling. Magento 1 had security problems and there are many security patches out there. But if your password is very secure and you change it every weak, a known security leak may be completely independent from this. If an attacker can manipulate files on your server or gets database access no adminhtml password can prevent him from this.

Keep in mind, that you also have to install security patches early and to host your shop with a secured web server.

What do you think about this new feature? Pain or useful?