Secure your user's information with greater control over password requirements.
To set your password policy:
- Open Domain Settings.
- Scroll to the Authentication-password policy card and complete the following setting sections:
Note: If you have set up Single Sign-On (SSO) for Buzz using SAML or CAS and checked the Prevent users from using Buzz credentials box, you aren't able to set up a password policy using Buzz.
Password lockout, expiration, and reset settings
As part of your password policy, you can control when users are locked out of their account, how lockouts work, if and when passwords expire, and how often users can reuse a previously used password.
You are asked to define:
- The Number of unsuccessful login attempts before lockout. This number must be between 1 -100.
- The number of Minutes until lockout expires.
- By default, lockouts don't expire, meaning admins must override them.
- If you enter a number, it must be a positive, whole number.
- The number of Days until passwords expire. By default, passwords don't expire.
- The number of Days to wait before you can reuse a password. By default, there is no wait.
- The number of Days to wait before locking out stale accounts (accounts without login). By default, there is no lockout for stale accounts.
Volatile password-strength settings
Your Volatile password-strength settings are intended to help users secure their accounts. These are called volatile because future events can occur, making previously secure passwords no longer secure.
You are able to specify:
- The Minimum-allowed password strength (entropy). This is a numeric measure of how easily a password can be discovered in an attack; the greater the entropy number, the stronger the password. A strength of 64 or higher is recommended. Click Help me choose to learn more.
- Any Domain-specific words that weaken password strength. Here you can enter terms that users might be tempted to use, but would weaken the password (e.g., the name of the platform or the name of their school).
- If you want to Reject known-breached passwords. Clicking this engages a secure check of the chosen password against a database of passwords that are known to have been compromised.
- Note: Buzz automatically alerts users to compromised passwords whether you check this box or not. The rejection is only enforced if you check the box, and follows the behavior you define below.
Basic password-strength settings
Your Basic password-strength settings include:
- The Minimum password length in characters. This number must be between 1-100
- The Minimum character classes used, up to four (a-z, A-Z, 0-9, other).
Password-policy enforcement settings
Set up your Password-policy enforcement actions. These are the actions you want Buzz to take when users have passwords that don't conform with the rules you've specified in your policy.
- These options include combinations of warnings or blocks that you want implemented:
- When a user changes their password without conforming to the policy.
- When a user logs in with a password that doesn't conform to the policy.
- Note: It may take up to 15 minutes to apply password-policy changes.
Policies and enforcement appear to users in the Change password screen.