The settings for Umbraco passwords are configurable in appsettings. There are two different configuration objects - One for Umbraco Members and one for Users.
For more information see the Security Settings documentation.
Umbraco backend users can reset their own password, or if they try too much, have a locked out account.
To deactivate the User password reset look at the Umbraco Settings Security section.
To configure password reset verify the Backoffice Login Password Reset section.
disableAlternativeTemplates If set to false this can be used to try to render pages in a way that they are not supposed to
disableFindContentByIdPath If set to false this can be used to do an enumeration of the nodes in your website and find hidden pages.
Umbraco Forms: AntiForgeryToken and DisableFormCaching