Configure custom password policies to meet your organization's security requirements and compliance needs.
Default Password Policy
Without customization, Zenovay requires:
- Minimum 8 characters
- No other restrictions
- No expiration
- No history tracking
Custom Policy Options
Password Requirements
| Setting | Options | Default |
|---|---|---|
| Minimum length | 8-128 characters | 8 |
| Maximum length | 64-128 characters | 128 |
| Require uppercase | Yes/No | No |
| Require lowercase | Yes/No | No |
| Require numbers | Yes/No | No |
| Require special characters | Yes/No | No |
| Disallow common passwords | Yes/No | Yes |
Password Lifecycle
| Setting | Options | Default |
|---|---|---|
| Password expiration | Never, 30-365 days | Never |
| Expiration warning | 1-30 days before | 7 days |
| Password history | 0-24 passwords | 0 |
| Minimum age | 0-30 days | 0 |
Account Lockout
| Setting | Options | Default |
|---|---|---|
| Lockout threshold | 3-10 attempts | 5 |
| Lockout duration | 1-60 minutes | 15 min |
| Reset count after | 1-60 minutes | 30 min |
Configuring Password Policy
Access Settings
- Go to Settings → Security
- Click "Password Policy"
- Configure options
- Save changes
Configuration Form
┌─────────────────────────────────────────────────────┐
│ Password Policy │
│ ─────────────────────────────────────────────────── │
│ │
│ Complexity Requirements │
│ ───────────────────────── │
│ Minimum length: [12 ] characters │
│ Maximum length: [128 ] characters │
│ │
│ Required characters: │
│ ☑ Uppercase letters (A-Z) │
│ ☑ Lowercase letters (a-z) │
│ ☑ Numbers (0-9) │
│ ☐ Special characters (!@#$%^&*) │
│ │
│ ☑ Block common passwords │
│ ☐ Block passwords containing username │
│ │
│ Password Lifecycle │
│ ───────────────── │
│ Expiration: [90 days ▼] │
│ Warning before expiration: [14] days │
│ Password history: [5] passwords │
│ Minimum password age: [1] days │
│ │
│ Account Lockout │
│ ─────────────── │
│ Lock after: [5] failed attempts │
│ Lock duration: [30] minutes │
│ │
│ [Save Policy] │
└─────────────────────────────────────────────────────┘
Recommended Policies
Basic Security
Minimum recommended:
Minimum length: 10
Uppercase: Required
Lowercase: Required
Numbers: Required
Block common passwords: Yes
Enhanced Security
For sensitive data:
Minimum length: 12
Uppercase: Required
Lowercase: Required
Numbers: Required
Special characters: Required
Block common passwords: Yes
Password expiration: 90 days
Password history: 5
Lockout after: 5 attempts
Compliance-Focused
For regulated industries:
Minimum length: 14
All character types: Required
Block common passwords: Yes
Block username in password: Yes
Password expiration: 60 days
Password history: 12
Minimum age: 1 day
Lockout after: 3 attempts
Lockout duration: 30 minutes
Password Strength Meter
Visual Feedback
Users see strength indicator:
Password: ••••••••••••
Strength: [████████░░] Strong
Requirements:
✓ At least 12 characters
✓ Contains uppercase
✓ Contains lowercase
✓ Contains numbers
✗ Contains special character (optional)
Strength Levels
| Level | Criteria |
|---|---|
| Weak | Fails requirements |
| Fair | Meets minimum only |
| Good | Exceeds minimum |
| Strong | Well above minimum |
| Excellent | Maximum strength |
Password Expiration
How Expiration Works
When enabled:
- Password has set lifetime
- Warning shown before expiration
- Must change on/after expiration
- Old password doesn't work
Expiration Notifications
Users receive:
- Email warning at 14 days
- Email warning at 7 days
- Email warning at 1 day
- Login prompt on expiration
Grace Period
After expiration:
- User must change password
- Can still authenticate to change
- No access until changed
Password History
How History Works
When configured:
- System tracks X previous passwords
- Cannot reuse tracked passwords
- Encourages unique passwords
History Example
With history of 5:
Current password → Not reusable
Password 2 ago → Not reusable
Password 3 ago → Not reusable
Password 4 ago → Not reusable
Password 5 ago → Not reusable
Password 6 ago → Can reuse
Minimum Age
Prevents rapid cycling:
- User changes password
- Cannot change again for X days
- Prevents defeating history
Account Lockout
Lockout Process
- User enters wrong password
- Attempt counted
- After threshold, account locked
- User sees lockout message
- Unlocks after duration or admin action
Lockout Notification
Your account has been locked due to multiple
failed login attempts.
Please wait 30 minutes or contact your
administrator to unlock your account.
Admin Unlock
Admins can unlock immediately:
- Go to Team → Members
- Find locked user
- Click "Unlock Account"
- User can try again
User Experience
Password Change Flow
┌─────────────────────────────────────────────────────┐
│ Change Password │
│ ─────────────────────────────────────────────────── │
│ │
│ Current password: │
│ [•••••••••••• ] │
│ │
│ New password: │
│ [ ] │
│ │
│ Requirements: │
│ ○ At least 12 characters │
│ ○ At least one uppercase letter │
│ ○ At least one lowercase letter │
│ ○ At least one number │
│ │
│ Confirm new password: │
│ [ ] │
│ │
│ [Cancel] [Change Password] │
└─────────────────────────────────────────────────────┘
Error Messages
Clear feedback for violations:
| Violation | Message |
|---|---|
| Too short | "Password must be at least 12 characters" |
| No uppercase | "Password must contain an uppercase letter" |
| Common password | "This password is too common, please choose another" |
| In history | "You've used this password recently" |
| Contains username | "Password cannot contain your username" |
Compliance Mapping
NIST 800-63B
Recommended:
- Minimum 8 characters (12+ preferred)
- Block common passwords
- No mandatory complexity
- No mandatory rotation
- Allow paste in password fields
PCI DSS
Requires:
- Minimum 7 characters (12+ recommended)
- Numeric and alphabetic
- 90-day expiration
- 4 password history
- Lockout after 6 attempts
HIPAA
Recommends:
- Strong password policy
- Regular changes
- Account lockout
- Password history
Exceptions
Emergency Access
For break-glass scenarios:
- Designated emergency accounts
- Exempt from some policies
- Heavily audited
- Time-limited
Service Accounts
For API/automation:
- Different policy possible
- Longer passwords
- No expiration (rotate manually)
- No lockout
Troubleshooting
User Locked Out
If user is locked:
- Check lockout duration
- Admin can unlock manually
- Investigate cause
- Review for attacks
Password Not Accepted
If password rejected:
- Check all requirements
- Not in history?
- Not common password?
- No username included?
Policy Not Applying
If policy doesn't work:
- Save changes successfully?
- Clear browser cache
- Try incognito window
- Contact support
Audit Logging
Password events logged:
- Policy changes
- Password changes
- Failed attempts
- Lockouts
- Admin unlocks