Skip to content

How do I reset a user's password?

Requires Basic

On the user detail page, Password section, you have two options: set a new password directly (optionally e-mailing it to the user) or send a reset link to the address on file, letting the user choose their own password. If someone has locked themselves out of two-factor sign-in, reset 2FA in the Two-Factor section.

  1. Open a user. Administration → User Management → click a user.

  2. Set a password. In the Password section, enter a new password (or have a secure 14-character one generated) and click “Set password”. If you also enable “E-mail the new password to the user”, the user receives the password via a secure one-time link — never in plain text.

    Set a password directly, invite by e-mail, or send a reset link.
  3. Alternative: send a reset link. With “Send reset link”, the user receives an e-mail through which they set a new password themselves.

  4. Reset 2FA (in case of lockout). In the Two-Factor section, use “Disable 2FA” to remove all of the user’s authenticator devices — for example, after a lost device.

  • Mandatory password change. If an administrator sets a password directly, Notory flags the account as “password change required”: at the next login, the user must choose a password of their own before they can use the app. So the password an administrator sets directly is just a transport secret.
  • No plain text by e-mail. With “send by e-mail”, the password lands on a One-Time-Secret instance; the e-mail contains only the one-time link (“Show password”), which expires after being opened once. If no one-time-link service is reachable, Notory falls back to a reset link — never to plain text.
  • The reset token is single-use and time-limited. The reset link contains a single-use, time-limited token. It becomes invalid after expiry or use.
  • Argon2id. Every new password is hashed with Argon2id; plain text is never stored. Every password change creates an audit log entry (password_change).
  • Self-service reset. Whether users may request a reset link themselves from the login screen is controlled centrally (instance setting “Self-service password reset”). To prevent account enumeration, Notory always responds neutrally either way.
  • 2FA reset. Disabling removes all devices and resets totp_enabled. If 2FA is enforced, the user is guided through setup again at their next login.