Password Policy Configuration

The Password Policy feature is used to define and enforce password security rules for users accessing the system. It helps protect employee and organizational data by ensuring that passwords meet specified security standards. Administrators can configure settings such as minimum password length, password complexity, expiry period, password history, and account lockout rules. The policy ensures that users create strong and secure passwords while reducing the risk of unauthorized access. This feature enhances system security, supports compliance requirements, and promotes safe user authentication practices.

The Password Policy feature is used to define security rules for user passwords in the HRMS application.
It helps organizations –
          – Improve account security
          – Enforce strong passwords
          – Prevent unauthorized access
          – Standardize password rules for all users

Purpose of Password Policy –
          – Password Policy allows administrators to –
          – Enable or disable password rules
          – Define password strength requirements
          – Improve login security for employees and administrators

Navigation – Click on Module Box –> Click on System Configuration –> Click on User Roles and Permission –> Click on Password policy.

Click on System Configuration and then Click on User Roles and Permissions tab then click on Password Policy tab.

Click the Edit button to enable or configure the Password Policy. Select the required password settings and click the Save button to apply the changes. Once enabled, the configured password policy will be enforced during New Password Creation, Forgot Password, and Reset Password processes. This ensures that all users follow the organization’s defined password security standards.

• Is Policy Applicable –
  Is Policy Applicable is a configuration option used to determine whether the Password Policy should be enforced for users in the system. When this option is enabled, the configured password rules such as password length, complexity, expiry, and history will be applied during password creation and management activities. If disabled, users can create or reset passwords without being restricted by the configured password policy settings. This setting helps organizations control the enforcement of password security standards across the application.
  
  Purpose – Enables or disables password policy enforcement.
  Options – Checked = Enabled
  Unchecked = Disabled
  Impact – If enabled, users must follow all configured password rules.

• Minimum Password Length –
  Minimum Password Length defines the minimum number of characters required for a user’s password. When configured, users must create passwords that meet or exceed the specified character length during password creation, reset, or change operations. This setting helps improve password strength and enhances system security by reducing the risk of weak passwords. Organizations can configure the minimum length as per their security requirements
  
  Purpose – Defines the minimum number of characters required in a password.
  Example – Value = 8
  Impact – Users cannot create passwords shorter than 8 characters.
  Example Password –
  ✔ Valid: Hrms@123
  ✘ Invalid: Hr1@

• Minimum Number of Alphabetic Characters in Password –
  Minimum Number of Alphabetic Characters in Password defines the minimum number of letters (A–Z or a–z) that must be included in a password. When configured, users are required to meet the specified alphabetic character count while creating, changing, or resetting their password. This setting helps strengthen password complexity and enhances security by ensuring that passwords contain a combination of character types as per the organization’s password policy.
  
  Purpose – Defines minimum alphabet characters required.
  Example – Value = 2
  Impact – Password must contain at least 2 letters.
  Example Password –
  ✔ HRMS@12
  ✘ 1234@56

• Minimum Number of Uppercase Letters in Password –
  Minimum Number of Uppercase Letters in Password defines the minimum number of uppercase characters (A–Z) that must be included in a password. When this setting is configured, users must meet the specified uppercase letter requirement while creating, changing, or resetting their password. This enhances password complexity and strengthens security by ensuring the use of uppercase characters as part of the organization’s password policy.
  
  Purpose – Defines required uppercase letters.
  Example – Value = 1
  Impact – At least one capital letter is mandatory.
  Example –
  ✔ Hrms@123
  ✘ hrms@123

• Minimum Number of Lowercase Letters in Password –
  Minimum Number of Lowercase Letters in Password defines the minimum number of lowercase characters (a–z) that must be included in a password. When configured, users are required to meet the specified lowercase letter count while creating, changing, or resetting their password. This setting enhances password complexity and improves security by ensuring that passwords contain lowercase characters in accordance with the organization’s password policy.
  
  Purpose – Defines required lowercase letters.
  Example – Value = 1
  Impact – At least one lowercase letter is mandatory.
  Example –
  ✔ HRms@123
  ✘ HRMS@123

• Minimum Number of Numeric Characters in Password –
  Minimum Number of Numeric Characters in Password defines the minimum number of numeric digits (0–9) that must be included in a password. When this setting is configured, users must meet the specified numeric character requirement while creating, changing, or resetting their password. This helps increase password complexity and strengthens security by ensuring the inclusion of numeric characters as part of the organization’s password policy.
  
  Purpose – Defines required numeric values.
  Example – Value = 1
  Impact – Password must contain at least one number.
  Example –
  ✔ Hrms@123
  ✘ Hrms@Test

• Minimum Number of Symbol Characters in Password –
  Minimum Number of Symbol Characters in Password defines the minimum number of special characters (such as @, #, $, %, &, *, etc.) that must be included in a password. When configured, users must meet the specified symbol character requirement while creating, changing, or resetting their password. This setting enhances password complexity and improves security by ensuring the use of special characters in accordance with the organization’s password policy.
  
  Purpose – Defines required special characters.
  Example – Value = 1
  Impact – Password must contain at least one symbol.
  Example Symbols – @ # $ % & *
  Example –
  ✔ Hrms@123
  ✘ Hrms123

• Enable Password Reset Reminder –
  Enable Password Reset Reminder is a configuration option used to send reminders to users before their password expires. When enabled, the system notifies users to change their password within the configured reminder period, helping them avoid login issues due to password expiration. This feature encourages timely password updates, improves security compliance, and ensures uninterrupted access to the application.
  
  Purpose – Enables password expiry reminder notifications.
  Impact – Users receive reminders before password expiry.
  Alert Reminder Before Days –
  Purpose – Defines how many days before expiry reminder should be sent.
  Example – Value = 30
  Impact – Users receive password expiry alert 30 days before expiration.

• Number of Days After Which Password Expires –
  Number of Days After Which Password Expires defines the validity period of a user’s password. After the specified number of days, the password expires and the user is required to create a new password to continue accessing the system. This setting helps enhance security by ensuring passwords are updated regularly and reduces the risk associated with long-term use of the same password.
  
  Purpose – Defines password validity duration.
  Example – Value = 1000
  Impact – After 1000 days, users must reset password.

• Number of Previous Passwords That Cannot Be Duplicated –
  Number of Previous Passwords That Cannot Be Duplicated defines how many previously used passwords are stored and restricted from being reused by a user. When configured, users cannot set a new password that matches any of the specified number of recent passwords. This setting enhances security by preventing password reuse and encouraging users to create unique passwords during password changes or resets.
  
  Purpose – Prevents reuse of old passwords.
  Example – Value = 0
  Impact –
  0 = No restriction
  3 = Last 3 passwords cannot be reused

• Make Captcha Enabled After Certain Wrong Login –
  Make Captcha Enabled After Certain Wrong Login Attempts defines the number of unsuccessful login attempts after which a CAPTCHA challenge will be displayed to the user. Once the specified limit is reached, users must successfully complete the CAPTCHA verification before attempting to log in again. This setting helps protect the system from automated login attempts, brute-force attacks, and unauthorized access, thereby enhancing application security.
  
  Purpose – Enables CAPTCHA after failed login attempts.
  Example – Login Count = 2
  Impact – After 2 wrong attempts, CAPTCHA verification appears.

• Disable User Login After Certain Failed Attempt –
  Disable User Login After Certain Failed Attempts defines the maximum number of consecutive unsuccessful login attempts allowed for a user. Once the specified limit is reached, the user’s account is temporarily or permanently locked based on the configured settings. This feature helps prevent unauthorized access, protects against brute-force attacks, and enhances the overall security of the application.
  
  Purpose – Temporarily blocks login after repeated failed attempts.
  Example – Failed Attempt Count = 3
  Impact – After 3 incorrect password attempts, user login gets blocked.

After applying all these configurations, the password requirements will be displayed as shown in the format below.