Support

User Guide

User Guide

Password Policy

Support

User Guide

User Guide

Password Policy

Last updated: January 14th, 2024


  1. OVERVIEW


1.1. In the realm of operating systems, password authentication serves as the primary method to verify a user's identity securely. At iSlash, we prioritize the establishment of a robust network environment, necessitating the adoption of strong passwords by all users. These passwords should consist of a minimum of eight characters, encompassing a combination of letters, numbers, and symbols. By adhering to such stringent password requirements, we effectively mitigate the risk of unauthorized access to user and administrative accounts, deterring malicious individuals from exploiting weak password vulnerabilities. Regular password changes further bolster security measures, significantly reducing the likelihood of successful password attacks.


1.2 To ensure the adoption of strong passwords, iSlash system offers a range of password policy settings that control complexity and password lifetime. Notably, the "Passwords must meet complexity requirements" policy setting serves as an effective measure to enforce strong password usage.


At iSlash, we prioritize password security and endeavor to provide a robust system that safeguards sensitive information. By implementing appropriate password policies, we empower organizations to fortify their network defenses and mitigate the risk of unauthorized access. Our commitment to professional excellence ensures that your password policy requirements are met with utmost reliability and authenticity.


  1. SET PASSWORD POLICY


2.1 Password History: Users can set password history requirements to prevent users from reusing previous passwords. By specifying a designated password history limit, you ensure that users choose unique passwords with each update. This measure not only protects against compromised passwords but also strengthens overall account security.


2.2 Password Length and Complexity: Our system enables you to establish minimum password length and complexity requirements. By defining a minimum length, you ensure that passwords are of sufficient complexity to resist brute-force attacks. Additionally, you can enforce complexity requirements, such as including a combination of uppercase and lowercase letters, numbers, and special characters. These measures substantially enhance the strength of user passwords and bolster overall system security.


2.3 Password and Login Policies for Different User Types

When it comes to password and login policies, you have the flexibility to set different rules based on the type of user. However, it's important to note that these policies apply universally to all user passwords. Let's explore the key considerations for password and login policies:

  1. Password Length Limit:
    To ensure a secure environment, user passwords cannot exceed 16,000 bytes in length. This limit helps prevent excessively long passwords that could potentially introduce vulnerabilities or create system inefficiencies.


  2. Login Rate Limit:
    For organizations created after Summer '08, logins are restricted to a maximum of 3,600 per hour per user. This rate limit helps protect against potential brute-force attacks or excessive login attempts that could compromise system security.


  3. Password Complexity Requirements:
    To enhance password security, certain restrictions are in place. User passwords cannot contain their own username, and they must not match their first or last name. Additionally, passwords must meet complexity requirements to prevent the use of easily guessable or weak passwords. For example, passwords like "password" are not allowed.


2.4 Default Password Requirements:
For all editions, new organizations have default password requirements in place. These requirements can be modified in all editions except for Personal Edition. The default password policies include the following:

  • Minimum Password Length: A password must have a minimum of eight characters, including at least one alphabetic character and one number.

  • Security Question Restrictions: The answer to the security question cannot contain the user's password. This helps ensure that the security question provides an additional layer of protection and is not compromised by knowledge of the user's password.

  • Password Reuse Restriction: When users change their password, they are unable to reuse their last three passwords. This policy promotes the use of unique and varied passwords, reducing the risk of password compromise.

By implementing these password and login policies, you can establish a robust security framework that safeguards user accounts and protects sensitive information. Remember that these policies apply universally to all users, ensuring consistent security standards throughout the system.


  1. PASSWORD RECOVERY OPTIONS


3.1 Our password recovery options typically involve identity verification through security questions or email verification. Once verified, users can easily reset their passwords and regain access to their accounts, ensuring a smooth and secure user experience.


3.2 To reset a user’s password:

  1. Click forgot password from the login page.

  2. Enter the Email address registered by user.

  3. Click Send Verification Email. The user receives an email that contains a link and instructions to reset the password. A password created this way doesn’t expire, but users must change the password the first time they log in.


3.3 Considerations for Resetting Passwords

  1. Admin-Only Password Reset:
    To maintain strict control and security over user accounts, only administrators have the authority to reset passwords for single sign-on (SSO) users. This ensures that password resets are performed by authorized personnel, minimizing the risk of unauthorized access.


  2. Device Activation after Password Reset:
    In certain cases, users may need to activate their devices after a password reset to successfully log in to Salesforce. This additional step adds an extra layer of security by verifying the authenticity of the device being used, thereby reducing the chances of unauthorized access.


  3. Automatic Account Unlock:
    Resetting a password for a locked-out user automatically unlocks their account. This streamlined process simplifies account recovery, eliminating the need for additional administrative intervention. Once the password is reset, the user can regain access to their account without any further steps or delays.


  4. Password Recovery Process:
    In the event that a user forgets their password, they can initiate the recovery process by clicking the "Forgot password" link on the login page. Subsequently, they will receive an email containing detailed instructions to reset their password. To ensure the security of the account, users are required to answer the security question correctly before proceeding with the password reset.


3.4 Customizing the Security Question Page:
Within the Password Policies, administrators have the flexibility to customize the security question page that users see during the password recovery process. This customization allows for the inclusion of helpful information such as where users can seek further assistance if needed. By providing clear instructions and guidance, administrators can enhance the user experience and facilitate successful password recovery.


3.5 By considering these important factors when resetting passwords, you can maintain a secure and efficient process for managing password-related issues. Admin-only access, device activation, and automatic account unlocking contribute to a streamlined experience, while the password recovery process ensures the security of user accounts. Customization options further enhance the user experience by providing helpful information during the recovery process.



  1. GENERAL


4.1 We may edit this policy from time to time. Please check this policy regularly for any changes.


4.2 Should you have other questions or concerns about our privacy policies and practices, please contact us at hey@islash.io.