Setting Password Requirements and Expiring Passwords

See Also: Multifactor Authentication and Single Sign On Integrations

Password Requirements and Options

LegalServer enforces the following requirements for user account passwords.

  • Must have at least 1 letter and 1 number

  • Minimum length is 8 characters

  • Cannot be a series of letters ending with either 1, 12, 123, or 1234

  • Cannot be 1234abcd or 1234qwer

  • Special characters like ! @ # $ % ^ & * ( ) { } are supported. And probably encouraged by your agency.

Site administrators can require these additional elements by changing Site Settings-> Security Settings:

  • Passwords must contain least one upper case character

  • Passwords must contain at least one lower case character

  • Passwords must contain at least one special character

Changing any or all of these options to "Yes" will only affect newly chosen passwords.

Expiring Passwords

LegalServer does not expire passwords by default. Password expiration is no longer recommended by NIST (SP 800-63B Section

Site administrators can change this on the Admin > Site Settings page.

Users with an expired password are taken to the "Change Password" page after logging in with an expired password.

Note: Selecting a password expiration takes effect immediately and applies retroactively. For example, if a site is not using password expiration then selects 90 days, all users who have not changed their password in 90 days will be forced to change their password on the next login.