Password policy

Updated on 20-October-2016 at 10:16 AM

Business Catalyst End of life announcement - find out more details.

One of the key aspects of any online platform management system is maintaining the security of its user accounts. Business Catalyst uses modern encryption algorithms to store passwords. We also require that passwords:

  • Contain at least:
    • one lower-case letter (a/b/c...)
    • one capital letter (A/B/C...)
    • one number (1/2/3...)
    • one special character. (!/^/#...)
  • Be 8 characters long.

A compatible password can look something like: aslSDH1542#@(). This dramatically decreases chances of the password being hinted or easily decrypted.

Warning! Even the most secure system can't also cover or keep track of the user's online behavior. That's why it's generally considered best practice to change your passwords every few months. Especially if you own an online shop and process payments, you must change your password every 90 days. To this extent, Business Catalyst will display a message warning the user when his password becomes older than 90 days, recommending to have it changed.

Here are the various scenarios where passwords are setup and how to update them:

E-mail accounts

Adding e-mail accounts can be done from Site Settings > E-mail Accounts ( Url: )

You will receive a confirmation e-mail with a link to a page where you can create your new password.

Once the setup is complete, changing the password for an e-mail account can be done either via the password reset workflow, where an e-mail similar to the activation one will be delivered to the recovery account setup when creating the e-mail account:

or from webmail directly, by accessing Settings > Password.

Admin Users

Administrator accounts added fall in one of two categories:

  • Existing e-mail accounts withing the BC site
  • In this case the same/existing password will be picked up, the account will be merged, and updating the password will from that point on affect both the web mail account as well as the admin user, as it's basically the same entity.

  • External/new e-mail addresses
  • In this case an e-mail will be received with an URL where an admin password can be set, similar to that of the e-mail account creation process.

For both account types, the password recovery worfklow can be triggered from the admin details page, and will assume the same procedure as outlined above.

For admin accounts that are Adobe IDs, the password recovery link will point to an domain page where the following recovery form will be filled:

For admin accounts that are non-Adobe IDs, the password can also be changed from the "My Details" Page :

If an admin user forgets his password, he can reset his password from the login form, by triggering the recovery workflow, after having entered his e-mail address.

In conclusion, Business Catalyst provides the tools and guidance to keep your accounts as secure as possible. Remember never to publicly expose your passwords, and also never share your access credentials to anyone.