Skip to content

How do I reset my password?

Requires Basic

On the login page, click “Forgot password?”, enter your email address, and submit the request. If an account exists, you’ll receive an email with a reset link (valid for 60 minutes by default). Use the link to set a new password (at least 8 characters), then log in with it.

The “Forgot password?” link only appears if your administrator has enabled self-service password reset and an email server (SMTP) is configured. If the link is missing, contact your administrator — they can set a new password for you directly or send a reset link (see Users & Roles). If you’re already logged in and just want to change your password, use Manage your profile.

  1. Open “Forgot password?”. On the login page, click “Forgot password?” below the password field.

    The 'Forgot password?' link on the login page (only with self-service reset enabled).
  2. Enter your email address. Enter your account email and click “Send link”. The notice “If the email exists, a reset link has been sent.” appears — this message always shows, regardless of whether the address is registered.

    After submitting, Notory gives a neutral confirmation that a link was sent.
  3. Open the link in the email. Open the “Reset password” email and click the button in the message. You’ll land on the “Set a new password” page.

  4. Set a new password. Enter the new password and confirm it (both must match, at least 8 characters) and click “Change password”. On success, “Your password has been changed. You can now sign in.” appears.

    Use the link from the email to set a new password.
  • Gating: Self-service reset only works if it’s enabled (instance setting or ENV default). If it’s off, the request is silently ignored — no email goes out. Controlled under Admin → Login & Security → “Self-service password reset (login screen)”. Requires a configured SMTP server.
  • No user enumeration: The confirmation is always the same, regardless of whether the email exists. This prevents anyone from figuring out which addresses are registered.
  • One-time token: The link contains a single-use token, which is stored only as a SHA-256 hash and is valid for 60 minutes by default. It’s invalidated after use.
  • Email content: The message is sent in your account or instance language (German or English), with the instance’s branding and legal links (imprint/privacy policy/terms).
  • Rate limit: Requests are limited per IP address (default 60/minute).
  • Audit log: A completed reset is logged as a password change.
  • Admin path: Alternatively, an administrator can set a password directly in user management or send a reset link to the address on file.