Password Policies
You can use the Password Policies area to define when a password expires, its minimum and maximum length, and content restrictions.
Password Policies has the following actions:
- Save and Reset—Saves your changes, which will go into effect for all existing users the next time they log in to the application.
- Reset All Passwords—Expires all passwords for all existing users, so that each user will have to change their password at their next login.
- Audit—Each time the password policy is saved, a record is entered into the audit. You can display this history using this option.
Screen
Password Policies Screen
Required Fields
The following table describes the required information you need to specify when managing password policies:
| Field | Description |
|---|---|
| Password Expiration | A qualifier that determines how long a password is valid. The default for new businesses is Every 90 Days. IMPORTANT: Password expiration is based on the last time a password was changed for a user. Changing the expiration will prompt a user to reset their password when their current password expires (based on the policy you have set). |
| Minimum Length | The minimum number of characters to be used in the password. The default for new businesses is 5 characters. IMPORTANT: After increasing the minimum password length, all users are prompted to reset their password the next time they log in to the application. |
| Maximum Length | The maximum number of characters to be used in the password. The default for new businesses is 20 characters. |
| Password Complexity | The type of characters required for the password, from among the following: - No Restrictions - Alpha and Numeric - Alpha (Upper and Lowercase) and Numeric The default for new businesses is No Restrictions. IMPORTANT: After increasing the password complexity, all users are prompted to reset their password the next time they log in to the application. |
| Login Attempt Account lockout threshold | Specifies the number of failed login attempts permitted before a user account is locked. A locked account cannot be used until it is unlocked by an administrator. The default for new businesses is four (4) attempts. Note that users are warned before being given their final attempt to log in, and are informed when their accounts have been locked out because they have exceeded the maximum number of login attempts. |
| New password after lockout requirement | Specifies whether a password should be reset when an account is unlocked (default). If you specify that a password reset is required, the user is sent an email notification with an embedded link that automatically logs the user in and requires a new password to be set. This link is effective only one time. The default for new businesses is Not Required. |
| Password question requirement | Specifies that users are required to choose a challenge question (default). If a challenge question is required to reset a password, a user must specify an answer to the challenge question when they reset their password. The default for new businesses is Not Required. |
How to…
This section describes how to set the password policies.
Set Password Parameters for All Users
1. Click Preferences, then Password Policies in the secondary menu. The Password Policies screen appears.
2. Select a Password Expiration qualifier.
You can select:
• Never Expires (default)
• Every 30 Days
• Every 45 Days
• Every 90 Days
3. Select the minimum number of characters to be used in the passwords.
You can select:
• 5 Characters (default)
• 8 Characters
• 10 Characters
• 12 Characters
• 15 Characters
4. Select the maximum number of characters to be used in the passwords.
You can select:
• 18 Characters
• 20 Characters (default)
5. Select the types of characters that passwords require.
You can select:
• No Restrictions (default)
• Alpha and Numeric—At least one alphabetical character and one numeric
character is required.
• Alpha (Upper and Lowercase) and Numeric (default value)—At least one
uppercase alphabetical character, one lowercase alphabetical character,
and one numeric character is required.
6. Select the number of failed logon attempts permitted before a user account is
locked.
You can select:
• 4 attempts (default for new businesses)
• 8 attempts
• 10 attempts
Note that businesses set up before the November 2017 release of Incent default to “No Limit” for the number of failed logon attempts. Xactly recommends that you change this to 4 attempts (the default for new businesses).
7. Select whether a password should be reset when an account is unlocked.
You can select:
• Required
• Not Required (default)
8. Select whether users are required to choose a challenge question.
You can select:
• Required
• Not Required (default)