Customer Lists Preferences

You can use customer site preferences to control how your storefront responds to failed login attempts by customers. You can optionally lock out a customer's account after a specified number of failed attempts, preventing brute force attempts to crack the customer's password.

See Business Manager Password Protection.

  1. Select Administration > Sites > Customer Lists.
  2. On the Customer Lists page, click a customer list or click Edit.
  3. On the Customer List page General tab, if this is a new list, enter the required information and click Apply.
  4. Select the Customer Number Sequence:
    • Unique per organization
    • Unique per customer list: select a starting value and enter a format pattern.
  5. Configure the Customer Profile Retention.
    Enter the number of days Salesforce B2C Commerce will store customer profiles (1-99.999). Profiles are automatically removed for customers who have not visited the site within the specified number of days. Leave blank if customer profiles should never be purged.
  6. Configure the Customer Login Settings.
    1. Enable or disable customer lockout after the specified number of tries.
      This field is set to True by default for all customers to prevent brute-force password guessing attempts. Customers now have the option of waiting for 30 minutes for the lockout period to expire or resetting their password immediately, which allows for account access and continued shopping. For site administrators, this field can be set to False if they prefer to disable this security feature.
    2. Enter a value for the Maximum Invalid Login Attempts, from 1 to 200.
    3. Select the Lockout Effective Period, from 1 minute to 10 days (default is 2 hours).
    4. Select the Login Attempt Reset Time, from Never to one day (default is one day).
    5. Enter the minimum Password Special Characters ($%/()[]{}=?!.,-_*|+~#) required for a valid password.
    6. Select if the password must contain letters. If True, select if any letter case or a mix of letter case is required.
    7. Select if the password must contain numbers.
    8. Select the Passwords Expire In interval, the period after which a password will expire, from Never to 90 days (default is Never).
  7. Click Apply to accept your changes, or Reset to reject your changes.