Overview

Password management is tightly connected with user's email be it customer of a shop or business user using admin application. In both cases user login would be an email address. All password communication will done directly to users email address.

...

Starting from version 3.5.0 password management can be setup to be fully controlled by business user thus providing flows to allow both customers and business users to change the password. 

Customer

Allowing customers to choose passwords if fully controlled via shop's registration attributes that provide list of attributes that determine the contents of the registration form. These shop attributes have the following form SHOP_CREGATTRS_XXX where XXX represents customer type (e.g. SHOP_CREGATTRS_B2C, SHOP_CREGATTRS_B2G) and contain CUSTOMER type attribute definitions (effectively it is a per customer type list of attributes that need to be captured at registration). Out of the box there are two default attribute definitions password and confirmPassword, thus including them (e.g. SHOP_CREGATTRS_B2C=email,firstname,last name,password,confirmPassword) will result in password fields being available when customer registers. Note that the attribute code is not important but rather that attribute definition value, which is set to password and confirmPassword respectively. Therefore it is possible to create alternative attribute definitions and use them in  SHOP_CREGATTRS_XXX as long as their values are correctly set. This allows for multi tenant server to define per shop password configurations (e.g. for different validation purposes).

...