# Umbraco Security Settings

## Password settings

The settings for Umbraco passwords are configurable in appsettings. There are two different configuration objects - One for Umbraco Members and one for Users.

For more information see the [Security Settings documentation](https://docs.umbraco.com/umbraco-cms/13.latest/configuration/securitysettings#user-password-settings).

## Password reset settings

Umbraco backend users can [reset their own password](https://docs.umbraco.com/umbraco-cms/13.latest/reference/security/password-reset), or if they try too much, have a locked out account.

To deactivate the User password reset look at the [Umbraco Settings Security](https://docs.umbraco.com/umbraco-cms/13.latest/configuration/securitysettings#allow-password-reset) section.

To configure password reset verify the [Backoffice Login Password Reset](https://docs.umbraco.com/umbraco-cms/13.latest/fundamentals/backoffice/login#password-reset) section.

## Other security settings

* [The Umbraco timeout in minutes](https://docs.umbraco.com/umbraco-cms/13.latest/configuration/globalsettings#timeout)
* [disableAlternativeTemplates](https://docs.umbraco.com/umbraco-cms/13.latest/configuration/webroutingsettings#disable-alternative-templates) If set to false this can be used to try to render pages in a way that they are not supposed to
* [disableFindContentByIdPath](https://docs.umbraco.com/umbraco-cms/13.latest/configuration/webroutingsettings#disable-find-content-by-id-path) If set to false this can be used to do an enumeration of the nodes in your website and find hidden pages.
* Umbraco Forms: [AntiForgeryToken](https://docs.umbraco.com/umbraco-forms/developer/configuration#enableantiforgerytoken) and DisableFormCaching