Stronger Password Policies

Please note that this document is a draft and still not finalized.

This page describes how to configure strong password policies on App and Web

1 Available Password Policies
2 Setting-up Password Policies
3 Password Policies on Web and App
- 3.1 Web
  - 3.1.1 Join Us Flow
  - 3.1.2 Reset Password Flow
  - 3.1.3 Log In Flow
- 3.2 App
  - 3.2.1 Join Us Flow
  - 3.2.2 Reset Password Flow
  - 3.2.3 Log in Flow
4 Password Lifetime on Web and App

Available Password Policies

The following password policies are supported by the current implementation for both web and mobile applications and can be configured based on the requirements of the users.

Password lifetime: 90 days
Max number of wrong login attempts: 5
Minimum length: 8 characters
Maximum length: x characters
A password can’t contain:
- Member number
- Name
Out of the 4 password policy requirements below, only 3 of them needs to be fulfilled for a password to be accepted as a valid strong password.
- Needs to contain: Capital letter
- Needs to contain: Small letter
- Needs to contain: Number
- Needs to contain: Special character !, @, #, $, %, ^, &, *

Setting-up Password Policies

The following settings should be enabled and configured in order to set up the password policies for a particular installation.

enablePasswordPolicies

Only if enablePasswordPolicies is TRUE , the password policies can be configured to validate passwords while setting up and resetting them.

customerPasswordLifetimeValue

The customerPasswordLifetimeValue is the setting that can be used to specify the life time of a given password.

customerPasswordMinimumLength

customerMaxWrongLoginAttempts

Password Policies on Web and App

Web

Join Us Flow

When onboarding using the ‘Join Us’ flow, all the password policies will be checked when the user tries to configure a password for his user account.

Reset Password Flow

If the user has forgotten his password or the account is locked after the allowable number of logging-attempts, he will be directed to the following password reset screen where all the password policies are checked.

Log In Flow

While logging into the system, upon each unsuccessful attempt, the user will be notified about the remaining number of attempts and if he exceeds the total allowable number of attempts, the account will get locked and the user will be prompted to reset the password.

App

Join Us Flow

When onboarding using the ‘Join Us’ flow, all the password policies will be checked when the user tries to configure a password for his user account.

Reset Password Flow

The reset password flow is handled by a web view, where the user will get directed to a URL out of the mobile app.

Log in Flow

While logging into the system, upon each unsuccessful attempt, the user will be notified about the remaining number of attempts and if he exceeds the total allowable number of attempts, the account will get locked and the user will be prompted to reset the password.

Password Lifetime on Web and App

The password lifetime suggests for how long a specific password is active.

The default lifetime of a password is set to 90 days about which the user will be notified 3 days before the password expiration.

If the user has exceeded the max no of wrong login attempts users can contact back office admin and can reset their passwords Users can use reset password flow in the app and web.