Locking of Users and password reset

    It's impossible to brute force the authentication on the login screen because after 'maxInvalidPasswordAttempts' the account of the user will be locked, and until that account is unlocked in the Users section, no attempt will succeed.

    Password reset on login screen

    When you submit the password reset form, an email is sent to the user with a link. This link contains a random token for this user that is valid for 24 hours.

    The settings allowPasswordReset is documented in the Umbraco Settings Security Section and e-mail configuration settings in Backoffice Login Password Reset Section

    Password reset of a non-existing user

    If the user that is specified in the form does not exist, no e-mail will be sent and there will be no response in the form that this user does not exist. This is done to prevent leaking which users have an account.

    Password reset of a locked user

    If a user is locked out, it is possible to do a password reset. After the e-mail with the password reset link is followed the user will still be locked out unless the user has specified the new password in which case the user will automatically be unlocked.