Remove Password Reset
This guide explains how to remove the "Forgot Password" functionality. After removal, users will need to contact an administrator to reset their password.
Password reset is a common user expectation. Removing it will increase administrator workload for password resets. Only remove if you have a specific security or workflow reason.
Step 1: Remove Forgot Password Link
In Pages/Account/Login.cshtml, delete the forgot password link:
<!-- DELETE this line: -->
<p>
<a asp-page="./ForgotPassword">Forgot your password?</a>
</p>Step 2: Delete Password Reset Pages
Delete these files from Pages/Account/:
ForgotPassword.cshtmland.cshtml.csForgotPasswordConfirmation.cshtmland.cshtml.csResetPassword.cshtmland.cshtml.csResetPasswordConfirmation.cshtmland.cshtml.cs
Step 3: Delete Help File
Delete wwwroot/help/user/password-reset.htm
Step 4: Update Help Index
In wwwroot/help/default.htm, remove the password reset link from the user help section.
Step 5: Ensure Admin Can Reset Passwords
Verify that the admin Edit User page (Pages/Admin/Users/Edit.cshtml)
includes the ability to set a new password for users. This becomes the only way
to reset forgotten passwords.
Alternative: Keep for Admins Only
Instead of removing password reset entirely, you could modify it to only work for admin-initiated resets:
- Keep the reset pages but remove public links
- Add an "Email Reset Link" button to the admin Edit User page
- Admin triggers reset, email is sent to user
Verification
After removal, verify:
- Build succeeds with no errors
- No "Forgot Password" link on login page
- Direct navigation to
/Account/ForgotPasswordreturns 404 - Admin can still reset user passwords via Edit User page