Important: You can proactively implement the new password policy today by meeting all values for password strength and character requirements for your users. Default values, detailed below, will be auto-populated if password policy is not activated on your PSA tenant, and users will be prompted to reset their password if it does not meet the minimum security requirements after Dec 10, 2022.
A strong password is the first-level defense against any unwarranted intrusion or breach. Therefore, it is imperative to have a very strong password meeting the criteria set by the admin/security team. The password policy must be strictly enforced as a necessary security measure and as a first-level protection. The following is the password criteria that should be met by all users of your tenant.
Requirements
The user must have Admin access to make these changes. These features are applicable to Employees, Client portal users, and API users
Steps to Set New Password Policy with the New UI
Admins can now set password and account policies for their tenant users. Navigate to Admin > Security > Password Policy. The following steps outline how to set the policy in the new UI. However, since the UI won't be ready until Dec 10th, you can go ahead and set the password policy in the current UI itself as described towards the end of this article.
Login Attempts
1. Number of consecutive failed login attempts allowed before disabling account: Enter 5. You can customize this.
2. Length of time to disable account after max login failure exceeded: Enter 1 hours and 30 mins. You can customize this. Zero value will throw a validation error.
Password Strength
1. Require password change every 180 days. You can customize this. Also, admin users do not have to mandatorily set this. Admin users can leave this box blank.
2. Enforce minimum password length 8 characters. You can customize this.
3. Prohibit password reuse for 5 passwords. You can customize this.
4. Click Save. A success message will appear at the top when you save the changes.
Character Requirements
Disclaimer: The image below shows the new password policy UI which will appear after the Dec 10th release of Pulseway PSA v5.17.0.
See the UI for character requirements. You will find an elaborate note.
Password Criteria
Length
Password's length must be a minimum of 8 characters. A validation error is shown if the minimum value is not met.
Permitted Characters
Password must consist of at least one uppercase, lowercase, numeric and special characters. (See the UI on Password Policy page for a list of special characters.)
Forbidden Words/Characters
Password should not contain usernames, first name, last name, dictionary names or no concurrent duplicating characters.
Password must not have 8 like characters from the last password.
Password Reuse
The last 5 passwords should not be reused.
Password Rotation
By default, password rotation can be enforced for 180 days. Admins can change this. However, this field is not a mandatory setting. Admin users have the option of leaving this field blank.
Account Lockouts
There will be limit of 5 wrong password attempts before user is locked out. By default, the account will be locked for 90 minutes.
Users will be emailed if their account has been locked out. Users can wait for the specified time or contact the admin to unlock the account.
Setting a Policy with the Current UI
Set the options as described in the image above and click Save. This will help you to be compliant until the new policy kicks off on Dec 10th. A success banner shall appear at the top when changes are saved successfully.
Modules
This change is implemented in the following places.
New Tenant signups
New User setup
Reset password page
Forgot password page
Client portal user creation and reset
Support accounts
Outbound logs
Templates
New Tenant Signups
When a new MSP is onboarded to PSA, they will have to activate their tenant. The customer will receive an email with tenant details and activation instructions.
Activation link screen
Once a user receives the Signup email the email will contain Tenant’s name, the username, and the Activation link.
The root user/tenant admin can create the first and last name and a password and signup to the tenant.
Once the account is created, the user will be logged in to PSA.
The activation link will automatically expire in 7 days
Password should meet the policy requirements set by the admin of your tenant.
New User/Client Portal Setup
When an admin creates a new employee via HR/API, they will no longer be getting the passwords in the email.
They will receive create password link which will be active for 24 hours.
Users will click on the link and be prompted to set a new password.
Password should meet the policy requirements set by the admin of your tenant.
The same applies to contacts created as Client portal users under CRM > Contacts > Client portal user: Yes
Reset/Forgot Password Page
Forgot password
User can change their password using the reset password screen.
On the login screen, click on Forgot password, and enter user details.
They will receive create password link which will be active for 24 hours.
Users will click on the link and be prompted to set a new password.
Password should meet the policy requirements set by the admin of your tenant.
Admin reset
Admins of your tenant can send reset instructions from
HR > Employees > Select employee > Reset and Send instructions
CRM > Contacts > Client portal user : Yes > Choose contact > Reset and Send instructions
End-user will get email instructions.
Support Accounts
When the user enables a support account for their tenant, an email will be sent with the following data to Pulseway technicians who work on their issue.
The system will be sending an encrypted link, that will auto-login Pulseway technicians.
Anyone who has access to the link can click on it and autologin. The link will expire once the activation time set by the customer is reached. Support will have to re-request to enable the account.
Expiry duration will be part of the email.
Enabling support account process will remain the same.
Admin > My Company > Company Settings > Support User > Activate
Outbound Email
For every email sent for new users creation, reset password, or support account a corresponding log is created in Admin > Logs > Outbound Email.
The email will contain the same instructions and the password reset link.
Users with the SSO authentication type will not receive any emails.
MFA setup will have no change.
Email Templates
Admin > Business Process > Email templates
%Password% field will be automatically replaced with the reset link. Anyone with the template using the Password field will see the Reset link on their end.
These templates can be used under Admin > My Company > Company Settings > User account.
API Users
Users with API user type access can now create a password of their choicstyle="color:#0086e6" e using the reset password screen.
Navigate to the gateway link, enter your username and choose reset password OR
Admins can select the API user and choose Reset and Send instructions.
API users will receive the link to change or create the password.
Create your new password and use this to authenticate your API calls.
API user type will not be able to login into the system. UI access is limited to the reset/create password screen.
API users will need to have a valid email for this to succeed.