Best Practice for New Password Policy?
Question asked by Joe Dellaragione - 1/29/2018 at 11:45 AM
Looking for some advice on accomplishing the following: 

Right now my password policy is set to 6 characters, upper, lower, number. 

I want to change this to 8 characters, upper, lower, number, special character, no common word. 
If I change the requirements in Settings > PW Requirements will it only affect FUTURE passwords? If so, is there a way for me to give people a week or two to change their own passwords then a certain date lock anyone that doesn't meet the new requirement and force a reset? It looks like I can only expire all passwords which would also expire the people that changed to the new requirement ahead of the deadline. 

2 Replies

Reply to Thread
Ryan Wittenauer Replied
There is an option to skip enforcement for current passwords that may be helpful.
I believe that if you set passwords to expire after a certain amount of time it should work per account. So the timer is reset per account once their password is changed, there may need to be more clarification on that though.
Here is a link to the guide for that if you need more clarification on the options available.
Emmet McGovern Replied
Wouldn't it just be easier if SM implemented an entropy calculator and just do away with the false sense of security the uppercase, lowercase, number, symbol passwords provide?
We've adopted this in every application we've written since the code has been released.  It makes way more sense to the end user and a lot less password recovery requests. Plus you get to have some pretty fun passwords.

Reply to Thread