Password Policy
Password Policies define password requirements and login protections.
Permissions
Users that have the Access Control/User Management permission can modify the password policies
Create a New Password Policy
- Click Settings > Administration > Password Policies
- Click the Edit button, and change any of the fields under Policy Information to create a custom password policy
- Minimum Length
- Minimum numbers of characters in the password; Default: 6 Characters, Range: 6-10 characters
- Required Character Types
- The types of characters and character combinations required for passwords; Default: No Restrictions, Range: See Required Character Types
- Expires In
- The number of days the password remains valid before the user will be prompted to change it; Default: 90 Days, Range: 15, 30, 60, 90, 120 days, Never
- New Password Cannot Match
- Number of previous passwords; Default: Last Password, Range: Last 2-5 passwords
- Minimum Age
- Frequency that a user can change the password; Specifies the number of days that must pass before a user can change passwords; Default: No Minimum, Range: 1-5 Days
- Inactive Session Timeout
- The length of time an application will remain active with no user activity; The application will become inactive and the user will need to log on again when the timeout is achieved; Default: 90 Minutes, Range: 15, 30, 60, 90, 120 minutes
- Account Lockout Threshold
- The number of login attempts before the account is locked out; Default: 5 tries, Choices: 3-10 tries, No Limit
- Learn more: Login Limit
- Account Lockout Duration
- The length of time that an account is locked out; Default: 15 minutes, Choices: 5, 10, 15, 30, or 60 minutes, Disable
- Users Excluded from Password Expiration
- A list of users who do not have to update their password; This might include users with Administration privileges; Default: No Users
- Click [Save]; For audit purposes, the following information is also displayed:
- Last Modified By <username> {date}
- Created By <username> {date}
About Login Limit
The Login Limit defines the number of failed attempts allowed before a user account is disabled or locked for a specified time. When a user attempts to login and fails (because of an incorrect password), each attempt counts against the Login Limit. When the Login Limit is achieved, the account is disabled or locked for a specified time, according to the parameters set in in the Account Lockout Duration field. The Login Limit is defined in Password Policies.
Users that have the Manage Company Capabilities permission can : - Enable and specify the Login Limit
- Track all invalid login attempts in the Audit Logs
- Reactivate the locked/disabled user account
To specify the Login Limit:
- Click Settings > Administration > Password Policies
- Click the [Edit] button
- Choose an option in the Account Lockout Threshold field from this list of options:
- No Limit
- 3 failed tries
- 4 failed tries
- 5 failed tries (default)
- 6 failed tries
- 7 failed tries
- 8 failed tries
- 9 failed tries
- 10 failed tries
To track all Invalid Login Attempts, see the Audit Log.
Reactivation
To reactivate a locked or disabled user account:
- Click Settings > Administration > User
- Select the user account of interest
- Click the [Edit] button
- Click the Active checkbox icon
- Click [Save]
Users Excluded from Password Expiration
By default, no user is exempt from the Password Policy, although it is possible to specify that a User be Excluded from the Password Expiration Policy.
Required Character Types
This option defines the level of security for passwords, which can be simple and allow any character combination, or very secure, requiring Upper and lower case characters, as well as special characters.
Option | Example Passwords | Description |
---|---|---|
No Restrictions
This is a low security option and allows any characters to be selected from a defined set |
These passwords are considered to be the same in this policy:
|
Characters in any of the following sets are allowed:
|
Alphanumeric characters
This is also a low security option - it allows most characters, and requires some characters from a defined set |
These passwords are not the same, and each can be used in this policy:
|
Requires at least one character from each of the following sets:
- Upper case (A-Z) or lower case (a-z) - number (0-9) Allowed:
|
Alphanumeric characters
This is a reasonable level of security for most organizations. |
These passwords are not the same, and each can be used in this policy:
This password does not meet the requirement because it is missing an Upper case character:
|
Requires at least one character from each of the following sets:
- Upper case (A-Z) - number (0-9) Allowed:
|
Alphanumeric characters
The addition of special characters adds an additional degree of complexity to password security. |
Any of these passwords can be used in this policy:
This password does not meet the requirement because it is missing a number and a special character:
|
Requires at least one character from each of the following sets:
- Upper case (A-Z) or lower case (a-z) - number (0-9) - special character @ # $ % |
Alphanumeric characters
The addition of special characters and the upper/lower case requirement adds a high degree of complexity to password security. |
These passwords are not the same, and each can be used in this policy:
This password does not meet the requirement because it is missing an Upper case character:
This password does not meet the requirement because it is missing a number and a special character:
|
Requires at least one character from each of the following sets:
- Upper case (A-Z) - number (0-9) - special character @ # $ % Allowed:
|