Skip to main content
All CollectionsGuides for dashboard.dispel.ioAdmin How To Guides
Dispel Account and Password Security Settings
Dispel Account and Password Security Settings
Angel Alvarado Amaya avatar
Written by Angel Alvarado Amaya
Updated over 3 months ago

Below you will see a detailed explanation on Dispel’s Account and Password Security Policies as well as how these policies are accessed on the Dashboard. Note, this view is restricted and can only be seen by an organization admin.

In addition to integrating both MFA (Multi-Factor Authentication) and SSO (Single Sign-On), which can be found above the Password History section, Dispel allows administrators to set and enforce specific Account and Password Security Policies across the organization. These policies ensure enhanced security and provide flexibility for admins to tighten password protocols as necessary. Below, you will find the settings related to password security, allowing you to configure how passwords are created, managed, and controlled.

Password History

Enforce Password Reuse Policy:

When enabled, Dispel will track a history of a user’s passwords (defined by you) and prevent the reuse of those passwords when a user attempts to change their password. For example, if you set the history limit to 5 passwords, users must create a new password that hasn’t been used in their last 5 password changes. If you wish to prevent the reuse of any of a user’s previously used passwords, you can set the value to “0”.

Reusing passwords can create security risks, especially if previous passwords have been compromised. Enforcing password uniqueness helps reduce the risk of unauthorized access due to password reuse.

Enforce Minimum/Maximum Password Lifetime:

This policy controls how long a password can be used before it must be changed. You can specify both a minimum and maximum password lifetime. A Minimum Password Lifetime ensures that users cannot change their passwords too frequently, which can prevent users from cycling through previous passwords to reuse an old one. A Maximum Password Lifetime: defines how long a password is valid before the user is required to update it and after the maximum lifetime for a user's password has exceeded, they will be prompted to create a new password upon their next login.

Setting appropriate minimum and maximum lifetimes prevents both over-frequent password changes, which can frustrate users, and the use of outdated passwords, which can weaken security over time.

Inactivity Lockout

When users remain inactive for an extended period, their passwords will be automatically invalidated for security reasons. After a user exceeds the defined inactivity threshold, their password will no longer be valid. The next time they attempt to log in, they will receive an email with a secure link to reset their password.

This feature ensures that inactive accounts are not vulnerable to unauthorized access. Users who haven’t accessed their account in a while may forget about it, leaving it at risk of being compromised.

Repeated Failed Sign Ins

This setting helps protect your organization from brute force attacks by temporarily suspending accounts after a certain number of failed login attempts. If a user fails to log in after 3 attempts, their account will be temporarily suspended for 15 minutes.

Limiting the number of failed sign-in attempts protects accounts from unauthorized access attempts through brute force. It also prevents bots or attackers from repeatedly guessing a password.

For Your Consideration:

Because Password Security Policies can affect all user’s ability to access the dashboard please keep the below in mind when making changes.

  • Communicate Changes: It’s important to notify users whenever password security policies are updated to avoid confusion during login attempts.

  • Combine with MFA: For maximum security, it is recommended to enable MFA alongside these password policies. MFA adds an additional layer of protection in case a password is compromised.

  • User Support: Ensure that users have a clear path to contact support if they are locked out due to inactivity or failed sign-ins, so they can quickly regain access when needed.

Did this answer your question?