On the Password Preferences page, under the General tab, select the appropriate password options.
With regards to passwords, the following is always true:
- Passwords can never be recovered, and may only be reset or changed.
- Default passwords are only allowed via a secure backend setting, and all new users assigned default passwords must change it upon initial login. This does not impact Single Sign On (SSO) users because SSO does not rely on passwords.
- Users always have the option to change their passwords via the My Accounts page, removing the dependence on administrators to initiate password resets.
- External users are always required to adhere to internal password preferences, if available. If a Division is not selected for the external user, then the external user must follow the password preferences of the top level Division.
- When a temporary password is assigned to a user, the temporary password must be changed upon login. Temporary passwords may be issued when a new user is created. Also, a default password may be assigned to a user via a data feed.
- Self-registered users must set their password when they register. Users created via a data feed are assigned a default password via the data feed.
To manage Password Preferences, go to.
|PERMISSION NAME||PERMISSION DESCRIPTION||CATEGORY|
- Passwords must contain both upper and lower case letters - Select this option to require passwords contain at least one lower case letter and one upper case letter (e.g., Smile, sailinG5). Selecting this option strengthens password security.
- Allow user to change password - Select this option to allow users to change their password from My Account. See My Account - Preferences. If this option is deselected, users do not have the ability to change their own password. As a best practice, this option should always be selected unless the affected organizational unit (OU) has SSO enabled, in which case the users do not use passwords to access the system.
- Send email notification upon password change - Select this option to generate an email to the user when the administrator changes the user's password.
- If this option is selected and the Allow user to change password option is selected, the User Password Change email is sent to the user.
- If the Require confidential password reset option is selected, this option does not need to be selected, because the Require confidential password option includes this functionality.
- When this option is selected and an administrator resets a user's password, the administrator can only do so by sending the user a password reset email with a confidential temporary password. For this option, users must have a defined email address in their user record.
- When this option is not selected and an administrator resets a user's password, the administrator has the option to either send a password reset email with a system-generated and confidential temporary password or to manually set a temporary password for the user. When a password is manually reset, the temporary password is not sent to the affected user. The administrator must communicate this password outside of the system. This is the best option for users who do not have an email address associated with their user record.
- Note: Users may not use a less than symbol (<) or greater than symbol (>) in their password, as this will cause an error.
Choose whether to overwrite custom settings for child division OUs. If you choose to overwrite custom settings for child division OUs, the selected settings are applied to both new and existing child OUs. Any previously customized child OUs are updated with the selected settings.
If this option is unselected, then only the child OUs that do not have customized settings will be updated, as well as any OUs that are added in the future.
A child OU that has not been customized always inherits from the parent, regardless of whether this option is selected.
An OU is considered customized if its preferences or settings have been changed.