A user password policy for helpdesk users is extremely important because helpdesk staff often have access to sensitive information. This policy should ensure data security and protect systems from unauthorized access.
The password policy is configured in the “Security/Authorization” menu, under the “Security” tab:
1. Password expiration date (days). When the period expires, the system will force the user to renew their password.
2. Password complexity validator:
These items can be used to set the minimum number of characters and password complexity for users to prevent them from specifying passwords that are too simple to be easily picked up by attackers.
Once the validator is installed, the password requirements will be applied system-wide:
- at registration:
- in the contact card:
- in my personal settings:
- and while resetting the password.
Automatic password generation by default includes special characters and a minimum length of 12 characters.
If you use a password complexity validator, generation is according to the current system policy.
3. Check password policies at login. If enabled, the user's password complexity will be checked during the next authentication. In case of non-compliance with the current password policy - the user will have to change the password. Works only in case of authorization through the login form on the site:
If you change a user's password and he/she was in the system at the time, the user will be automatically logged out of the system within 10 minutes, even if the “remember me” setting was enabled. Pay attention to this point in case of changing the password for employees during working hours. The only exception is if the system user changes the password himself, through the profile or contact card.
The “Check password policies at login” setting is disabled by default. When enabled, each user's password is checked for compliance with the set policy settings at login. Without enabling the setting you will be able to keep old user passwords unchanged, but new users, including those who edit passwords, will have their password policies checked.
4. Forced password change on first authorization.
After creating a contact, the system will always force the user to change the password to his/her own password at the first user authorization. To increase the security level of password transfer and account creation with this setting enabled, there will also be this nuance: if, for example, an administrator changes the password in the contact card for his employee, then after authorization the system will ask the employee to change the password again, but to his own. This is done for security purposes, so that a third party (in this case, the administrator who reset the password and gave it to the employee) does not have access to the user's account.