Password Policy Overview

(Note:  The term 'Password' may be changed on the System Settings page but will be used in the documentation for this page since that is the default initial setting. See the System Settings page for more details.)

The Password Policy page contains settings that are used to determine the validity of a password that is being created or set. The options are grouped into the following categories:

  • Expiration
  • Length Requirements
  • Content Restrictions
  • Password History
  • User Interaction

These settings will only be used to check the validity of new or changed passwords. They will not affect existing passwords.

Who has access?

System Administrators

Detailed Description

Expiration

  • Enable Password Expiration
    If this option is checked, users will be required to change their password periodically based on the Duration setting. If this option is not checked, the Duration setting has no effect.

  • Duration (Days)
    The number of days (24 hour time periods) for which an expiring password is valid. If password expiration is enabled, this will be the time since the user’s password was last changed. This is enforced at login time.

Length Requirements

  • Minimum Length
    A new or changed password must contain at least this many characters.  The minimum length must be at least as long as the sum of all of the other minimum password length requirements (i.e., lowercase, uppercase, numeric, and special). A password cannot be blank, so the minimum length will be one character. A setting of 0 (zero) is equivalent to a setting of 1.

  • Minimum Number of Lowercase Characters
    New or changed passwords must contain at least this many lowercase characters.

  • Minimum Number of Uppercase Characters
    New or changed passwords must contain at least this many uppercase characters.

  • Minimum Number of Numeric Characters
    New or changed passwords must contain at least this many numeric characters.

  • Minimum Number of Special Characters
    New or changed passwords must contain at least this many special characters as defined in the Special Characters setting.

  • Special Characters
    This is a list of the special (non-numeric, non-alphabetic, non-blank) characters that are counted when determining the minimum number of special characters in a password.

Content Restrictions

  • Not Allowed Characters
    This a list of characters that will not be allowed as part of a password. This is typically used to exclude characters where there may be confusion because of character similarity such as between 0 (zero) and O (capital letter ‘o’).

  • Not Allowed Words
    This is a list of words that are not allowed as part of a password. Use commas to separate words in the list. The test for inclusion of these words within a password is case-insensitive. The maximum length of the entire list of words is 1024 characters.

Password History

  • Password History Count
    This setting is the number of previous (non-temporary) passwords for a user that they will not be allowed to re-use as their password when it is changed. The maximum value for this setting is 10. Set this value to 0 (zero) to disable this feature. If a User Administrator sets a user’s password and marks it as temporary, then the password history check (as well any other current password policy setting such as length requirements or content restrictions) will not be enforced for that password. Temporary passwords are not saved in the password history list.

User Interaction

  • Maximum Login Failures
    The number of login failures allowed for a user account after which they will be required to enter a Captcha code as well as their correct password in order to log in. If this is set to 0 (zero), a Captcha code is always required.

  • Enable Password Reset
    If this option is checked, users will be able to request an email be sent to them that will contain a link which will allow them to reset their password. Passwords changed by users must comply with all password policy settings.