\label{Domain_Configuration_Passwords} For user accounts in LON-CAPA for which the authentication type is set to internal, domain settings are available for: (a) User reset of a forgotten password; (b) Encryption used to store passwords; (c) Rules for password length, complexity and reuse; (d) Course Owner changes to passwords of enrolled students. \textbf{Resetting Forgotten Password} Users have been able to reset a forgotten password since LON-CAPA 2.3, by entering username, domain and e-mail address in a web form reached via the "Forgot Password?" link on the log-in page. If the information submitted via the web form matches that stored in LON-CAPA for that user (and the user's authentication type is ``internal''), then an e-mail will be sent to the user's e-mail address, containing a time-limited link, which when followed will display a second web form, in which the user enters e-mail address, username, e-mail address, and a new password. Starting with LON-CAPA 2.11.3 this procedure can be customized in the following ways: \begin{itemize} \item Type of Captcha (for robot suppression) to use with the initial web form. \item Expiration time of the time-limited link in the generated e-mail. \item Whether checking of username and/or e-mail address is/are case-sensitive. \item Whether just username, or just e-mail address or both are submitted in the first form. \item Whether information besides the new password is required in the second form. \item Which e-mail address(es) stored for a user in LON-CAPA may be used in the password reset. \item Whether custom text should be used as a preamble for the initial web form. \end{itemize} If ``Institutional Types'' (e.g., faculty, student etc.) have been defined for a domain then some of the customizations can be made dependent on a user's institutional type. \textbf{Encryption of Stored Passwords} \begin{itemize} \item \textit{Encryption cost for bcrypt} (positive integer). Starting with 2.11.2 bcrypt is used to encrypt the password for an internally authenticated user. The complexity of the encryption is determined by the bcrypt cost value. A higher value means more complexity (and more time to validate a user's password). The cost needs to be a positive integer. If no value is set in a domain, a default of 10 will be used. \item \textit{Check bcrypt cost if authenticated}. When an internally authenticated user logins and the credentials are validated, the bcrypt cost used for the original encryption can be compared with the current domain default. If the cost for the stored encryption is less than the current domain setting, there are two options - either allow login and update the stored encryption using the higher cost, or disallow login. The default is not to compare the original cost with the current domain setting. \item \textit{Existing crypt-based switched to bcrypt if authenticated}. When an internally authenticated user logs-in and the credentials are validated, if the stored credentials are currently encrypted with crypt, there is an option to update the stored encryption to use bcrypt, with or without backing-up the existing passwd file to a passwd.bak file. The default is not to update the stored passwd file, so existing users who have crypt-based stored passwords will continue to do so until such time as they change their password. \end{itemize} \textbf{Rules for LON-CAPA Passwords} Starting with LON-CAPA 2.11.3 requirements can be set for password length, whether special characters or mixed case are required, and how many (if any) previous passwords to save for a user (disallow reuse). \textbf{Course Owner Changing Student Passwords} Starting with LON-CAPA 2.11.3 a domain can be configured to allow a course owner to change a student's password, if the following conditions are met: \begin{itemize} \item same domain is used by owner, course, and student, \item student has no active or future roles besides student role in courses owned by the course owner making the change, \item course container is not a Community. \item owner is course coordinator in the course, \item setting to disable this action has not been set for the specific course. \end{itemize} If ``Institutional Types'' (e.g., faculty, staff, student etc.) have been defined for a domain then which course owners may change student passwords can be restricted to specific types. In addition, which students may have their passwords changed can also be restricted to specific types. The default is to not allow Course owners to change a student's password.