Domains (e.g., school, district) can have a password policy that:
- Determines the rules for password requirements for their users.
- Defines what should happen when a user attempts to login with an inaccurate password.
Over the next several months, we will be implementing two phases of security updates to the default password policy.
Who is impacted by these changes?
These changes will impact all users in domains that do not already have their own password policy (either inherited by a parent domain or explicitly set on itself) and those that authenticate with their Echo credentials.
Who is not impacted by these changes?
These changes will not impact any user in a domain that already has a password policy in place, either inherited by a parent domain or explicitly set on itself. Nor will it impact any user that authenticates into Echo with single sign-on (SSO).
When and what will the changes be?
Beginning March 14, 2019, the following rules will be applied:
- The setting Lockout after unsuccessful login attempts will be set to 10 attempts. This means that if a user enters an incorrect password 10 consecutive times, their account will be locked. For their account to be unlocked, an administrator must reset the user’s lockout (see How do I override password lockout for a user?) or the user must wait until their lockout expires.
- The setting Lockout lasts for will be set to 1 hour. This means that if a user has a lockout due to unsuccessful login attempts, they will not be able to login again until 1 hour after the lockout began.
During Summer 2019, the following rules will be applied:
- The setting Lockout after unsuccessful login attempts will be set to 5 attempts. This means that if a user enters an incorrect password 5 consecutive times, their account will be locked. For their account to be unlocked, an administrator must reset the user’s lockout (see How do I override password lockout for a user?) or the user must wait until their lockout expires.
- The setting Lockout lasts for will be set to 3 hours. This means that if a user has a lockout due to unsuccessful login attempts, they will not be able to login again until 3 hours after the lockout began.
- The setting Minimum password length will be set to 8 characters. This means that users will be required to enter a password with at least 8 characters when changing or creating a new user.
As Summer 2019 approaches, we will publish a new announcement with the full details (e.g., date, additional changes).
What if I want a more (or less) strict password policy?
If you wish to opt for a different password policy, you can do so today (see How do I set up my domain password policy?). A password policy is inherited by subdomains. This allows you to define one at a top-level to be inherited by all subdomains and change it for a specific school. Alternatively, you can set it at each domain if you need a unique password policy for each.
Comments
0 comments
Please sign in to leave a comment.