In version 5.1 and newer, password policy can be set from the Sites page, when logged in as SystemAdmin. In versions 5.0 or before, the password rules can be configured by changing the following tag:

<add key=”PasswordControls” value=”Low”/>

Low:  No restriction for specifying a new password.

High: Enforces strong password requirements as follows:

  • Passwords must be a minimum of 8 characters.
  • Passwords must include 1 upper alphabetic character, 1 lower alphabetic character and 1 numeric character.
  • Passwords cannot be the username.
  • Password Expiration: Passwords for User accounts must expire after a maximum of 90 days.  Systems will warn the users daily starting 6 days in advance of when their password will expire.
  • Password Lockout: An account with an expired password will be locked-out until reset by the site administrator.
  • System Account Suspension for Failed Login Attempts: Successive failures will result in a user’s account being locked indefinitely.  Upon 5 successive failures, the account will be locked until manually reset by the site administrator.
  • Password History: The system will not allow a user to select a password that matches one of the user’s 4 previous passwords.