Passwords can now only be set via:

  • The Change Password feature. - For logged in users to change their own password

  • The Reset Password feature. - For logged out users to change their password via a token to the user's registered email address

  • Both of these application features utilise the User object methods which enforce password policy.

Policy - Passwords must meet the following criteria

  • Have a length of at least 7 characters

  • Have at least one letter

  • Have at least 1 number

  • Cannot be the same as the username

When creating a new user

  • New users are created with no password and are unable to log in

  • New users must use the Password Reset feature to set their password for the first time

  • Administrator can trigger a password reset email from user list

  • User can trigger a password reset email from the login page

  • Administrator users are no longer permitted to set passwords for new users.

Existing Users

  • If a user logs in with a password that does not meet policy, they are immediately prompted to change their password and cannot proceed until they have done so.

  • Once logged in a user can change their password again at any time with the Change Password feature.

  • User can also use the Reset Password flow to set their password at any time

  • Administrators are no longer permitted to enter new passwords for other users.

Limit Password Attempts

  • After 10 consecutive incorrect password attempts on the same username, a user account becomes locked and has its password wiped.

  • The User list screen will show an unlock button next to that users account.

  • When the unlock button is used by an Administrator, the account will become unlocked and the user will be sent a password reset email.

  • Once the user has reset their password, they can then log into their account.

User Change Notifications

  • When the Change Password feature is used, an email is sent to the user's registered email address informing them the password was changed.

  • When the Reset Password feature is used, an email is sent to the user's registered email address informing them the password was changed.

Did this answer your question?