Password Policy

The password policy is strictly enforced and is not designed to be downgraded.

  • Expiration Frequency — The number of days after which users must change their passwords.

    Passwords do not expire with AuthN authentication.

    Only for OpenAM authentication = 180 (maximum and default) or fewer days. You cannot disable password expiration.

    Caution: If a user account is used for system-to-system API calls — such as for integrations — password expiration can block API calls and prevent integrations from running. To avoid this, convert the user account to API Only User in People Information; see the Employee topic. Your FAP must have API-only user set to Allowed; see the Manager - Common Setup ACPs topic. Once the account is API-Only, it supports only API calls; you cannot use it to log in from a browser or mobile app.

  • Reuse Monitoring = 24 previous passwords cannot be reused. You cannot disable reuse monitoring.
  • Account is locked out for inactivity — The number of days of inactivity before the system locks the account. You cannot disable inactivity lock outs.

    Note: User accounts that use Federated Authentication are not locked out because of inactivity. For more information about the types of authentication, see the Authentication topic.

    • Inactive existing user accounts = 180 (maximum and default) or fewer days.
    • First-time login = 30 (maximum and default) or fewer days.

      Note: To avoid locking accounts during setup, edit the User Account Status to the effective, active date of the accounts.

  • The password must not contain any of the following — User names, spaces, and words from the forbidden password list.

    Example forbidden passwords: MyUsername, password password, MyStrongPassword.

  • The password must contain all of the following — A mix of upper-case letters, lower-case letters, non-alphanumeric (special) characters, and numbers must be included in passwords.

    Example acceptable password: AYWzwmQX$Y4M3Dy (but don't use this example).

  • Minimum length: The shortest acceptable password length.

    Note: People Import integrations continue to run and import user accounts with the existing passwords, even if the passwords are shorter than the minimum number of characters. However, the users are prompted to change the passwords to more secure, complex passwords when they log in for the first time.

    Minimum (default) = 8 characters.

    Maximum = 64 characters.

  • Maximum consecutive identical characters = 4 (maximum and default) identical characters in a row that passwords can contain.

    Example forbidden passwords include the following: aaaaa, nnnnn, xxxxx, 00000, 66666, 99999.

  • Maximum sequential letters or numbers = 3 (maximum and default) sequential letters or numbers that passwords can contain.

    Example forbidden passwords include the following: abcd, defg, wxyz, 1234, 5678.

Note:

You can make only limited adjustments to the password policy as follows:

  1. Click Tap Main Menu  > Administration  > Application Setup > Access Profiles > Logon Profiles.
  2. To change the minimum password length and other log-on settings, see the Logon Profile topic.