Password Requirements and Expiration
See Also: Multifactor Authentication and Single Sign On Integrations
Requirements
LegalServer enforces the following requirements for user account passwords.
- Must have at least 1 letter and 1 number
- Minimum length is 12 characters
- Cannot be a series of letters ending with either 1, 12, 123, or 1234
- Cannot be 1234abcd or 1234qwerty
- Special characters like ! @ # $ % ^ & * ( ) { } are supported. And probably encouraged by your agency.
Site administrators can add additional requirements on the Admin > Site Settings page in the Security Settings section:
- Passwords must contain least one upper case character
- Passwords must contain at least one lower case character
- Passwords must contain at least one special character
Changing any or all of these options to "Yes" will only affect newly chosen passwords.
Expiring Passwords
LegalServer does not expire passwords by default. Password expiration is no longer recommended by NIST (SP 800-63B Section 5.1.1.2).
Site administrators can change this on the Admin > Site Settings page.
Users with an expired password are taken to the "Change Password" page after logging in with an expired password.
Note: Selecting a password expiration takes effect immediately and applies retroactively. For example, if a site is not using password expiration then selects 90 days, all users who have not changed their password in 90 days will be forced to change their password on the next login.