Password Policy

Password Policy Overview

(Note:  The term ‘Password’ may be changed on the System Settings page but will be used in the documentation for this page since that is the default initial setting. See the System Settings page for more details.)

The Password Policy page contains settings that are used to determine the validity of a password that is being created or set. The options are grouped into the following categories:

These settings will only be used to check the validity of new or changed passwords. They will not affect existing passwords.

Who has access?

System Administrators

Detailed Description


Enable Password Expiration

If this option is checked, users will be required to change their password periodically based on the Duration setting. If this option is not checked, the Duration setting has no effect.

Duration (Days)

The number of days (24 hour time periods) for which an expiring password is valid. If password expiration is enabled, this will be the time since the user’s password was last changed. This is enforced at login time.

Length Requirements

Minimum Length

A new or changed password must contain at least this many characters.  The minimum length must be at least as long as the sum of all of the other minimum password length requirements (i.e., lowercase, uppercase, numeric, and special). A password cannot be blank, so the minimum length will be one character. A setting of 0 (zero) is equivalent to a setting of 1.

Minimum Number of Lowercase Characters

New or changed passwords must contain at least this many lowercase characters.

Minimum Number of Uppercase Characters

New or changed passwords must contain at least this many uppercase characters.

Minimum Number of Numeric Characters

New or changed passwords must contain at least this many numeric characters.

Minimum Number of Special Characters

New or changed passwords must contain at least this many special characters as defined in the Special Characters setting.

Special Characters

This is a list of the special (non-numeric, non-alphabetic, non-blank) characters that are counted when determining the minimum number of special characters in a password.

Content Restrictions

Not Allowed Characters

This a list of characters that will not be allowed as part of a password. This is typically used to exclude characters where there may be confusion because of character similarity such as between 0 (zero) and O (capital letter ‘o’).

Not Allowed Words

This is a list of words that are not allowed as part of a password. Use commas to separate words in the list. The test for inclusion of these words within a password is case-insensitive. The maximum length of the entire list of words is 1024 characters.

Password History

Password History Count

This setting is the number of previous (non-temporary) passwords for a user that they will not be allowed to re-use as their password when it is changed. The maximum value for this setting is 10. Set this value to 0 (zero) to disable this feature. If a User Administrator sets a user’s password and marks it as temporary, then the password history check (as well any other current password policy setting such as length requirements or content restrictions) will not be enforced for that password. Temporary passwords are not saved in the password history list.

User Interaction

Maximum Login Failures

The number of login failures allowed for a user account after which they will be required to enter a Captcha code as well as their correct password in order to log in. If this is set to 0 (zero), a Captcha code is always required.

Enable Password Reset

If this option is checked, users will be able to request an email be sent to them that will contain a link which will allow them to reset their password. Passwords changed by users must comply with all password policy settings.