Below you will see a detailed explanation on Dispel’s Account and Password Security Policies as well as how these policies are accessed on the Dashboard. Note, this view is restricted and can only be seen by an organization admin.

In addition to integrating both MFA (Multi-Factor Authentication) and SSO (Single Sign-On), which can be found above the Password History section, Dispel allows administrators to set and enforce specific Account and Password Security Policies across the organization. These policies ensure enhanced security and provide flexibility for admins to tighten password protocols as necessary. Below, you will find the settings related to password security, allowing you to configure how passwords are created, managed, and controlled.

When enabled, Dispel will track a history of a user’s passwords (defined by you) and prevent the reuse of those passwords when a user attempts to change their password. For example, if you set the history limit to 5 passwords, users must create a new password that hasn’t been used in their last 5 password changes. If you wish to prevent the reuse of any of a user’s previously used passwords, you can set the value to “0”.

Reusing passwords can create security risks, especially if previous passwords have been compromised. Enforcing password uniqueness helps reduce the risk of unauthorized access due to password reuse.

This policy controls how long a password can be used before it must be changed. You can specify both a minimum and maximum password lifetime. A Minimum Password Lifetime ensures that users cannot change their passwords too frequently, which can prevent users from cycling through previous passwords to reuse an old one. A Maximum Password Lifetime: defines how long a password is valid before the user is required to update it and after the maximum lifetime for a user's password has exceeded, they will be prompted to create a new password upon their next login.

Setting appropriate minimum and maximum lifetimes prevents both over-frequent password changes, which can frustrate users, and the use of outdated passwords, which can weaken security over time.

When users remain inactive for an extended period, their passwords will be automatically invalidated for security reasons. After a user exceeds the defined inactivity threshold, their password will no longer be valid. The next time they attempt to log in, they will receive an email with a secure link to reset their password.

This feature ensures that inactive accounts are not vulnerable to unauthorized access. Users who haven’t accessed their account in a while may forget about it, leaving it at risk of being compromised.

This setting helps protect your organization from brute force attacks by temporarily suspending accounts after a certain number of failed login attempts. If a user fails to log in after 3 attempts, their account will be temporarily suspended for 15 minutes.

Limiting the number of failed sign-in attempts protects accounts from unauthorized access attempts through brute force. It also prevents bots or attackers from repeatedly guessing a password.

Because Password Security Policies can affect all user’s ability to access the dashboard please keep the below in mind when making changes.