Domains (e.g., school, district) can have a password policy that:
- Determines the rules for password requirements for their users.
- Defines what should happen when a user attempts to login with an inaccurate password.
On July 11, 2019, we will implement additional security updates to the default password policy.
Who is impacted by these changes?
These changes will impact all users in domains that do not already have their own password policy (either inherited by a parent domain or explicitly set on itself) and those that authenticate with their Buzz credentials.
Who is not impacted by these changes?
These changes will not impact any user in a domain that already has a password policy in place, either inherited by a parent domain or explicitly set on itself. Nor will it impact any user that authenticates into Buzz with single sign-on (SSO).
When and what will the changes be?
Beginning July 11, 2019, the following rules will be applied:
- The setting Number of unsuccessful login attempts before lockout will be set to 7 attempts. This means that if a user enters an incorrect password 5 consecutive times, their account will be locked. For their account to be unlocked, an administrator must reset the user’s lockout (see How do I override password lockout for a user?) or the user must wait until their lockout duration expires.
- The setting Lockout duration will be set to 3 hours (PT3H). This means that if a user has a lockout due to unsuccessful login attempts, they will not be able to login again until 3 hours after the lockout began.
- The setting Minimum password length will be set to 8 characters. This means that users will be required to enter a password with at least 8 characters when changing or creating a new user.
What if I want a more (or less) strict password policy?
If you wish to opt for a different password policy, you can do so today (see How do I set up my domain password policy?). A password policy is inherited by subdomains. This allows you to define one at a top-level to be inherited by all subdomains and change it for a specific school. Alternatively, you can set it at each domain if you need a unique password policy for each.