What's New

Password Policy updates (2019-07-11)

Follow
Brad Marshall
  • Agilix team member

Domains (e.g., school, district) can have a password policy that:

  • Determines the rules for password requirements for their users.
  • Defines what should happen when a user attempts to login with an inaccurate password.

On July 11, 2019, we will implement additional security updates to the default password policy.

Who is impacted by these changes?

These changes will impact all users in domains that do not already have their own password policy (either inherited by a parent domain or explicitly set on itself) and those that authenticate with their Buzz credentials.

Who is not impacted by these changes?

These changes will not impact any user in a domain that already has a password policy in place, either inherited by a parent domain or explicitly set on itself. Nor will it impact any user that authenticates into Buzz with single sign-on (SSO).

When and what will the changes be?

Beginning July 11, 2019, the following rules will be applied:

  • The setting Number of unsuccessful login attempts before lockout will be set to 7 attempts. This means that if a user enters an incorrect password 5 consecutive times, their account will be locked. For their account to be unlocked, an administrator must reset the user’s lockout (see How do I override password lockout for a user?) or the user must wait until their lockout duration expires.
  • The setting Lockout duration will be set to 3 hours (PT3H). This means that if a user has a lockout due to unsuccessful login attempts, they will not be able to login again until 3 hours after the lockout began.
  • The setting Minimum password length will be set to 8 characters. This means that users will be required to enter a password with at least 8 characters when changing or creating a new user.

What if I want a more (or less) strict password policy?

If you wish to opt for a different password policy, you can do so today (see How do I set up my domain password policy?). A password policy is inherited by subdomains. This allows you to define one at a top-level to be inherited by all subdomains and change it for a specific school. Alternatively, you can set it at each domain if you need a unique password policy for each.

Comments (3)

Sort by
Michael Denton

The SSO users are NOT currently exempted from this policy update. A new user was created in GeniusSIS, the domain is configured to use CAS and, a password length error message was returned back to Genius.

Brad Marshall
  • Agilix team member

Hey Michael, CAS/SAML (SSO) credentials are exempt from this. However, when a user is created in Buzz and a password is provided, then their Buzz password must meet system requirements. If the user is supposed to login strictly using SSO credentials, then the user should be created without a password.

Michael Denton

Thank you for the quick response. I will need to run some tests to make sure a null password cannot be hacked by an application which can pass a null string to the API.

Please sign in to leave a comment.