The Password Policy enables Admin Users to have more control over security by setting password parameters. These parameters enforce password requirements that Users must follow when creating their passwords.
A password can have up to seven different parameters required for each User, and every requirement will allow an Admin to choose which User Role that requirement is applied to by Primary Role. While an Admin may only set a few parameters for lower level Primary Roles, he/she can have stricter parameters for higher level Primary Roles. This allows an Admin's Password Policy to be customized for every type of User.
It is important to note that the Password Policy cannot be applied to Users that only have a Primary User Role of Employee App Access.
Users with the security role of Full Access or User Setup will have full access to the Password Policy and all of its functions. Click here to view information on Security Role Descriptions.
To navigate to the Password Policy page, hover over 'Administration' on the top ribbon, then the 'Users & Security' sub-menu, and click 'Password Policy'. A new window will open that displays Password Parameter options and requirements by User Role.
Password Policy Parameters
1) Minimum character limit - A minimum amount of characters allowed in a password. If toggled, the minimum character limit is between 1 and 20
2) At least 1 uppercase letter - A minimum of one uppercase letter would be required for each password
3) At least 1 lowercase letter - A minimum of one lowercase letter would be required for each password
4) At least 1 number - A minimum of one number would be required for each password
5) At least 1 special character - A minimum of one special character would be required for each password
6) Force periodic password reset - An automated forced reset after a specified number of days
7) Blacklist certain words - Certain words and numbers would be blocked from using as part of a password
If toggled, two options will appear:
1) Automatically blacklist usernames - The User's username will be blocked from being entered as part of their password. However, this would not block a User from using another's username in a password
2) Manually enter blacklisted words - A manual entry of any words or numbers that will be blocked from using as part of a password. These must contain a minimum of three characters. Once created, click the 'Add' button to include each entry in the grid below. Clicking the 'Clear' button will clear any characters typed in the Blacklisted Word field, but to delete an entry inside of the grid, click the trash iconnext to the entry
Setting Parameters for Different User Roles
For each password parameter toggled on, a drop-down will display a 'User Role(s)' field that will be defaulted to all Users. This provides the option of making that parameter required for all Users or certain selected Users.
If the Admin is unsure of which parameters are set for certain Users, he/she can preview these requirements by clicking the drop-down arrow next to 'Select User Role'.
When finished, click 'Save' on the top ribbon.
User Password Creation
When Users create their password, a listing of all the required parameters will be located below the 'New Password' field. As characters are typed in, the listing will display when each requirement is fulfilled. The User won't be able to Save their new password until all required parameters are met.
- Note: The Password Policy is not checked on the classic mobile app. If the Password Policy is updated and the User's password no longer meets the requirements or if the time has expired for the Password Reset option, the User will only be prompted to change his/her password on the website, but will be allowed to log in to the mobile app successfully.
The Admin User can update the Password Parameters at any time. Whenever an update is made, the Admin will see a Confirmation message that has him/her confirm the changes made.
Users with changed requirements will see a 'Change Password' screen when they attempt to log in after the new password requirements have been Saved. This forces Users to update their existing password by typing in their old password and entering in a new one using the requirements listed.
- Note: If a User has an existing password that meets the updated requirements, the User will not be prompted to update his/her password