You can choose to set a password policy for users in your GLM/SLM site. The requirements you choose will apply to all users (across all roles) in your site who set or reset their password going forward.
You can also configure the maximum failed attempts allowed for users to enter their password when logging on, without enabling a custom password policy. Please refer to step 10 in this tutorial for more details on this setting.
- From the dashboard, click the Gear Icon in the upper right corner of the screen.
- Click the Pencil Icon next to the User Password Policy setting.
- Click the checkbox to enable your custom policy.
- If this setting is not enabled, the default password policy is in effect. The default policy is a minimum of 6 characters, which can include letters, numbers, and the following special characters: !@#$%^&*()_
- If this setting is not enabled, the default password policy is in effect. The default policy is a minimum of 6 characters, which can include letters, numbers, and the following special characters: !@#$%^&*()_
- Choose the minimum password length.
- This is the minimum number of characters that a user must have in their password.
- This is the minimum number of characters that a user must have in their password.
- Select any character types you'd like to require.
- This defines the specific character types that a user must include in their password.
- This defines the specific character types that a user must include in their password.
- Determine how many of the character types (selected in the previous step) must be included.
- In this example, passwords must contain 2 of the 3 selected character types (i.e. a lower case letter and a number, or an upper case letter and a lower case letter).
- In this example, passwords must contain 2 of the 3 selected character types (i.e. a lower case letter and a number, or an upper case letter and a lower case letter).
- Determine the minimum number of characters required from each character type.
- Set the number of days until passwords should expire (first uncheck the "Never" box). Users are prompted to reset their password after that number of days. Alternatively, keep the "Never" box checked if you do not want passwords to expire.
-
The default for this is to never expire, which is the industry recommended best practice. A password expiration should only be used if your organization’s password security policy requires it.
-
- Select any user roles for which you'd like to require two-factor authentication. Please refer to this article for more information on this feature: Two-Factor Authentication
- Select the maximum failed attempts allowed for users to enter their password when logging on.
- After reaching this limit, the user will be locked out of their account and prompted to reset their password.
- This part of the policy will be enforced even if you do not enable your custom policy.
- Click OK.
If a user tries to set a password that does not meet the requirements, the system will display a message listing the password requirements.
Below are a few additional resources related to password policies (and other security considerations):
- NIST Digital Identity Guidelines - a full publication from the National Institute of Standards and Technology (NIST).
- NIST Appendix A - additional details about password strength from the NIST.
- Know Thy Passwords: A Guide to Security - this blog post from Cory Brester, Foundant's Director of CRM and Information Systems, is a good place to start for more context around this topic.