Umbraco Security Settings
The settings for Umbraco passwords are configurable in appsettings. There are two different configuration objects - One for Umbraco Members and one for Users.
Umbraco backend users can reset their own password, or if they try too much, have a locked out account.
- disableAlternativeTemplates If set to false this can be used to try to render pages in a way that they are not supposed to
- disableFindContentByIdPath If set to false this can be used to do an enumeration of the nodes in your website and find hidden pages.