Skip to main content

Set User password management policy

Abstract

This guide provides a detailed, step-by-step procedure for a CloudConnexa administrator to configure the password management policy. These settings are crucial for enforcing strong password hygiene for all user accounts authenticated via the "CloudConnexa Username and Password" method.

These settings allow you to configure the password management policy for CloudConnexa Users. These settings are crucial for enforcing strong password hygiene for all user accounts authenticated via the "CloudConnexa Username and Password" method.

Note

These password management configuration settings are only applicable for all user accounts authenticated via the "CloudConnexa Username and Password" method.

Note

After the password policy is updated, existing users will be required to comply with the new policy the next time they log in. On their next login, if applicable, the user will be prompted to change their password. All new users will be subject to the password policy rules upon account creation.

CloudConnexa Username and Password authentication default settings for the password policy

The default password policy when the CloudConnexa Username and Password authentication method is in use is as follows:

  • Password Length: Minimum of 8 and a maximum of 70 characters

  • Password Complexity: Must include at least one letter. It must also include either one number or one special character.

  • Password Expiry: Never

  • Password History: Prevents reuse of the last 3 passwords

  • Account Lockout Policy: None

  • Password Block List: None

The password management section allows you to override these default settings by creating your own password policy to comply with your organization's security policy.

Accessing the password management section

Follow the steps below to access the password management section:

  2. Locate the main navigation menu on the left side and click Settings.

  3. Click User Authentication and the Password Management tab.

Configure password strength requirements

This section allows you to define the complexity rules for user passwords. The system provides a real-time visual strength indicator to help you create a robust policy.

  1. On the Password Management page, click Modify in the Password Strength section and provide the following:

    Note

    As you enable these requirements, observe the visual strength indicator. It may change from "Weak" to "Medium" to "Strong," and may offer hints for improvement to enhance security further. For instance, if you only require numbers and lowercase letters, the indicator might suggest adding uppercase characters and symbols.

    1. Password Length: Use the slider to select the minimum and maximum number of characters for password length.

    2. Mixed-Cased Letters: Select the minimum number of uppercase or lowercase letters that the password must contain.

    3. Numbers or Special Characters: Select the minimum number of numbers or special characters that the password must contain.

    4. Uppercase Letters: On the Advanced tab, enter the minimum number of capital letters (e.g., A, B, C) that the password must contain.

    5. Lowercase Letters: On the Advanced tab, enter the minimum number of lowercase letters (e.g., a, b, c) that the password must contain.

    6. Numbers: On the Advanced tab, enter the minimum number of digits (e.g., 0, 1, 2) that the password must contain.

    7. Special Characters: On the Advanced tab, enter the minimum number of special characters (e.g., !, @, #, $, %) that the password must contain.

  2. Click Apply.

    Note

    After the setting is applied, users with weak will be prompted to update their passwords the next time they log in.

Configure the Block list of vulnerable passwords

The Password Block List allows you to create a list of weak, compromised, or predictable passwords to prevent Users from using them. To enable password block list with the predefined password directory, follow the steps below:

  1. Set the Passwords Block List toggle to ON.

  2. Click the Enable predefined password dictionary checkbox.

    Note

    The predefined password dictionary consists of the most common passwords in use. It is recommended by the National Institute of Standards and Technology (NIST) and the Open Web Application Security Project (OWASP) not to use the passwords in this list.

  3. Click Apply.

To add passwords to the block list, follow the steps below:

Note

Both the predefined password dictionary, as shown above, and the custom blocklist, as shown below, can be used together.

  1. Enter the passwords to block, one per line, in the Password Block List section.

  2. Alternatively, click Upload List and upload a text file that contains the passwords.

  3. Click Apply.

To test whether a password is allowed or not based on the blocked list, do the following:

  • Enter the password to test in the Test Password field.

    A message will appear below the text field to indicate whether the password is allowed or blocked.

Configure password history and reuse restrictions

This setting configures the policy for password expiry, reuse, and whether a User can set their password to be the same as the username.

  1. Click Modify in the Passwords History section.

  2. For the Password Expiration Date, select a value from the drop-down list. The available values to select are: Never Expires, or 30, 60, 90, 120, 180, 365 days.

    Note

    The password expiration date countdown will start after the setting is applied, and is not per User. When the set password expiration date has expired, all users will be required to update their passwords at the next login. For example, if a 30-day Password Expiration Date is applied on July 1, passwords for all users are deemed to have expired on July 31. The 30-day timer will restart on July 31.

  3. For Password Uniqueness, enable the password reuse prevention requirement by selecting the checkbox and selecting a numerical value from the drop-down for the number of past passwords that the user cannot reuse.

    Note

    This number represents how many previous passwords the system will remember for each user. A user will be unable to use any of these past passwords when creating a new one. For example, if you set this value to 5, a user who has changed their password five times will not be able to use their first, second, third, fourth, or fifth password again. A higher number increases security by making it more difficult for attackers to reuse a compromised password.

  4. For Password Uniqueness, select the Ensure the new password isn't the same as the username checkbox to prevent the new password from being set as the username.

  5. Click Apply.

Configure account lockout policy

The Account Lockout Policy allows you to lock any user account for a configured time period after a configured number of failed login attempts. Use of this policy significantly increases the system's resistance to possible credential stuffing attacks. To configure the account lockout policy, follow the steps below:

  1. Set the Account Lockout Policy toggle to ON.

  2. Click Modify.

  3. Select a value from the Login Attempts drop-down.

  4. Select a value from the Lockout Duration drop-down.

  5. Click Apply.

Implementing Effective Password Policies

Password security best practices are well-documented across the cybersecurity industry and includes other requirements for passwords related to modern use-cases:

As an administrator, your goal is to protect the organization without creating friction for your users. This guide outlines how to configure your password policy feature to align with the latest security standards from NIST, CIS, and others.

Required Policy Settings (The Non-Negotiables)

These settings are crucial for a baseline of modern, enterprise-level security.

  1. Minimum Length: Enforce a minimum password length of 12 characters. While 8 is the absolute minimum in some standards, 12 provides a much stronger defense against modern brute-force attacks. For privileged or administrator accounts, a minimum of 15 characters is strongly recommended.

  2. Password History: Prevent users from reusing their last 5–10 passwords. This simple rule ensures that users can't cycle through a few weak passwords to get back to a familiar one.

  3. Compromised Password Blocking: Implement a feature that blocks passwords found in known data breaches, dictionaries, or common password lists. This is a powerful, proactive defense that prevents users from setting a password that is already a known risk (e.g., password123, qwerty, Companyname2025).

  4. Account Lockout: Configure an account lockout policy that locks an account after 5–10 consecutive failed login attempts. This is a critical defense against automated brute-force attacks.

  5. Multi-Factor Authentication (MFA) Enforcement: Mandate MFA for all user accounts, especially those with access to sensitive data or privileged systems. This is the single most effective security control you can implement. In a security-first environment, passwords should be viewed as a single layer, with MFA as the primary defense.

  6. Secure Hashing: Ensure your system uses a modern, secure hashing algorithm (e.g., bcrypt, scrypt, or Argon2) to store passwords. Explicitly deprecate and block the use of older, vulnerable algorithms like SHA-1 and MD5.

Recommended Policy Settings (Best Practices for a User-Friendly Experience)

These are settings that improve security and usability by removing outdated, frustrating requirements.

  1. Stop Arbitrary Rotation: Do not force periodic password changes (e.g., every 90 days). The policy should be to only require a password change if there is evidence of a breach or compromise. This practice significantly reduces password reset fatigue and the use of predictable password patterns.

  2. Length Over Complexity: Remove mandatory complexity rules (e.g., requiring a mix of uppercase, lowercase, numbers, and symbols). Instead, focus on encouraging longer passwords (up to 64 characters). This allows for the use of more secure and memorable passphrases, which are both stronger and easier for users to manage.

  3. Allow Password Managers & Pasting: Enable the ability for users to copy and paste passwords into login fields. This is a vital feature that allows users to leverage password managers, which are an essential tool for creating and storing long, complex, and unique passwords for every account.

  4. Deprecate Security Questions: Remove knowledge-based "security questions" as a password recovery method. These are easily compromised through social engineering. Replace them with secure, out-of-band recovery methods, such as an email link to a user's verified secondary email address or an MFA-enabled recovery process.

By implementing these features, you can create a password policy that not only meets but exceeds modern security standards while building a culture of security that your employees will embrace, not resist.

In this section:
See also: