Secure user information with greater control over password requirements.
To set your password policy:
- Select More from the Header menu.
- Select Domain Settings.
- Locate the Authentication-password policy card and complete the following sections:
- password lockout, expiration, and reset settings
- volatile password-strength settings
- basic password-strength settings
- password-policy enforcement settings
- Note: This section specifies how you want to enforce the rules you define in the other sections.
Password lockout, expiration, and reset settings
As part of your password policy, you can control when users are locked out of their account, how lockouts work, if and when passwords expire, and how often users can reuse a previously used password.
You are asked to define:
- The Number of unsuccessful login attempts before lockout. This number must be between 1-100.
- The number of minutes until lockout expires.
- By default, lockouts don't expire, meaning admins must override them.
- If you enter a number, it must be a positive, whole number.
- The number of days until passwords expire. By default, passwords don't expire.
- The number of days to wait before you can reuse a password. By default, there is no wait.
- The number of days to wait before locking out stale accounts (accounts without login). By default, there is no lockout for stale accounts.
Volatile password-strength settings
Your volatile password-strength settings are intended to help users secure their accounts. These are called volatile because future events can occur, making previously secure passwords no longer secure.
You are able to specify:
- The minimum-allowed password strength (entropy). This is a numeric measure of how easily a password can be discovered in an attack; the greater the entropy number, the stronger the password. A strength of 64 or higher is recommended. Select Help me choose to learn more.
- Any domain-specific words that weaken password strength. Here you can enter terms that users might be tempted to use, but would weaken the password (e.g., the name of the platform or the name of their school).
- If you want to reject known-breached passwords. Selecting this engages a secure check of the chosen password against a database of passwords that are known to have been compromised.
- Note: Buzz automatically alerts users to compromised passwords whether you check this box or not. The rejection is only enforced if you check the box, and follows the behavior you define below.
Basic password-strength settings
Your Basic password-strength settings include:
- The minimum password length in characters. This number must be between 1-100.
- The minimum character classes used, up to four (a-z, A-Z, 0-9, other).
Password-policy enforcement settings
Set up your password-policy enforcement actions. These are the actions you want Buzz to take when users have passwords that don't conform with the rules you've specified in your policy.
- These options include combinations of warnings or blocks that you want implemented:
- When a user changes their password without conforming to the policy.
- When a user logs in with a password that doesn't conform to the policy.
Note: It may take up to 15 minutes to apply password-policy changes.
Policies and enforcement appear to users in the Change password screen.
ISO duration designators
ISO durations use one-letter designators and a simple format to indicate standardized time intervals. To enter a duration:
- Enter P (period) if you want to use days, weeks, months, or years as your unit of time, and PT (period, time) if you want to use seconds, minutes, or hours.
- Enter the number of units that you want to use.
- Enter the desired time unit designators:
- D (days), W (weeks), M (months), Y (years) if you used P.
- S (seconds), M (minutes), H (hours) if you used PT.
Enable students to change their passwords
- In Domain Settings, locate the Student Options card.
- Check the box next to Allow students to change their password.