Better account security: password expiry and reset in Koha


By PTFS-Europe

24th April 2024 |

In this video, Aude talks about features first introduced in Koha 22.05 and 22.11 related to password expiry and reset. She explains how to ensure users change their password regularly by making their password expire after a defined period of time. She then discusses options available for password reset.

Koha account security

There are many options in Koha to help you and your colleagues increase the security of the data you hold. A big part of it will be making sure only the persons who are allowed to do so have access to the data. For the Koha staff interface, that can simply mean library staff need a password to login. But often you will want stronger protection than that: controlling password expiry and reset can be useful.

Other Koha features for better password security include:


Want more Koha tips? Check the other Koha-related articles on our blog.

How to use the password expiry and reset options

Note: all hyperlinks in this section point to the Koha manual.


  • EnableExpiredPasswordReset system preference: to allow users to reset their password directly when they try to login, rather than them having to use the OPAC’s Forgot your password? link or ask another member of staff for help.


  • OpacResetPassword system preference: this is primarily used to allow users to change their password via an OPAC page. When enabled, the Forgot your password? link appears below the login form on the OPAC. Using it will trigger the PASSWORD_RESET notice which contains a link for the user to reset their password. The same system preference also makes a parallel option appear in the staff interface: in a user account, under the More button, staff can click “Send password reset”. This triggers the STAFF_PASSWORD_RESET notice which contains a link for the user to reset their password.


  • NotifyPasswordChange system preference: to notify the user that their password has just been updated. This acts as both a confirmation and an alert in case the user did not actually reset their password. The PASSWORD_CHANGE notice is used.





Koha Community Positions for the 24.11 Cycle

Books in a hand - library data migration

Koha Foundation Proposal

Books on shelf

Need help? Chat to our team of experts today.

Get Support