In the Password policy section of the New realm drawer, it is possible to define the password policy level required when new users register or existing users change their password.
The Fluid Topics password policy only applies to internal Fluid Topics accounts.
Fluid Topics supports the following password policy levels:
- Low - the password must contain at least 6 characters.
- High - the password must contain at least 12 characters AND is matched against this list of hacked passwords.
By default, the Fluid Topics password policy level is Low.
By configuring a strong password policy, it is possible to require users to create secure passwords.
OWASP Compliance
When the password policy level is High, Fluid Topics complies with the following OWASP Secure Software Development Lifecycle Requirements:
- #2.1.1 "Verify that user set passwords are at least 12 characters in length."
- #2.1.4 "Verify that Unicode characters are permitted in passwords. A single Unicode code point is considered a character, so 12 emoji or 64 kanji characters should be valid and permitted."
- #2.1.7 "Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords [...]."
- #2.1.9 "Verify that there are no password composition rules limiting the type of characters permitted. There should be no requirement for upper or lower case or numbers or special characters."
In compliance with the OWASP Secure Software Development Lifecycle Requirement #2.3.1, tokens to activate an account or reset a password expire after 2 hours.