Password Policy Setting

Version 

Application Scenario 

• For security concerns, you want the password to be reset only after authentication (such as SMS or email verification) when you forget the password.

• You may have set a simple password for login convenience and expect the platform to remind you to update the password regularly.

• Enterprises with high-security levels have requirements for the complexity of user passwords, such as the inclusion of uppercase letters and symbols.

• For security concerns, you do not want your current password to be the same as previous ones.

• Passwords in the server datasets are often too simple or fail to meet the enterprise security requirements during user import or synchronization, and admins hope that users must change their passwords upon initial login.

• For security concerns, platform users want the password to be modified only after authentication (such as SMS or email verification) when they want to modify their passwords.

Function Description 

If you have high-security requirements for the platform password system, you can go to System Management > System Setting > Login > Password Policy Setting and set requirements and restrictions for user passwords to enhance platform security.

Validity 

Password policies will not take effect for users whose passwords cannot be edited in this system.

Notes 

Do not configure the password policy settings for projects with custom login pages. The configuration items in System Management > Login are not compatible with those included in custom login pages.

For example, if you enable Forced Initial Password Change, you cannot access the password modification page through the custom login page, resulting in login failure.

Log in to the decision-making platform as the admin, choose System Management > System Setting > Login > Password Policy Setting, and set the authentication methods for resetting the password, as shown in the figure below. 

The Forget Password function is described in the following table.

Note:

This function is supported on mobile terminals.

Reset Password by SMS 

Binding Mobile Phone Number to Username

Bind the mobile phone number to the username, as shown in the following figure.

Note:

1. Support the input of mobile phone numbers in mainland China, Taiwan (China), Hong Kong (China), Turkey, South Korea, Japan, Singapore, and Malaysia.

2. For countries and regions such as Taiwan (China), South Korea, Japan, and Malaysia, there is no need to add the number 0 before the phone number or after the area code.

Enabling SMS Function

For details, see SMS.

Enabling Reset Password by SMS

Effect Display

Log out the current account. There is a Forgot Password button on the login page, as shown in the figure below.

Click the button, enter the mobile phone number and the verification code, and click OK. 

Enter the new password and click Save.

Click Log In Now or wait for automatic login after the password is changed successfully. 

• If the entered phone number is not bound to a username, a prompt pops up saying "Account not found".

• If the entered phone number does not receive the verification code while no error is reported, check whether the SMS account balance is sufficient.

Resetting Password by Email 

Binding Mailbox to Username

Bind the mailbox to the username, as shown in the following figure.

Enabling Email

For details, see Email.

Enabling Reset Password by Email

Effect Display

Note:

If the entered mailbox is not bound to a username, a prompt pops up saying "Account not found".

Log out the current account. There is a Forgot Password button on the login page, as shown in the figure below. 

Click the button, enter the mailbox and the verification code, and click OK. 

Enter the new password and click Save.

Click Log In Now or wait for automatic login after the password is changed successfully. 

You can customize the update cycle and the reminder date after enabling Regular Password Update.

The Regular Password Update function is described as follows.

• Update Cycle: Enter the number of days manually  (at least seven days) or select fixed days from the drop-down list. The month options in the drop-down list will be converted into days automatically (one month = 30 days).

• If the value set in Update Cycle is less than or equal to that set in the reminder, the value in the reminder will be set to 3 by default.

• The new and old passwords cannot be the same.

• This function is supported on mobile terminals.

• If the password is not modified with the valid period, login failure will occur with the old password, prompting "The current password has expired. Change the password to a new one."

If Regular Password Update is enabled, the system will automatically judge whether the update date is going to be reached at your login. If the reminder condition is met, the system will send a platform message to you, prompting "The current password will expire in N days. Change your password as soon as possible."

You can customize the password strength after enabling Password Strength Limit.

The Password Strength Limit function is described as follows.

• The password strength limit also takes effect for modifying passwords at Account Setting.

• The username is not case-sensitive. Take the username "admin" as an example, if No Username is ticked, the password cannot include any form of admin such as ADMIN, Admin, and adMIN.

• The password strength limit takes effect for any password modification in the system.

• If the password entered at your login is detected to be unable to meet the strength requirements, the system will redirect to the password modification page.

• This function is supported on mobile terminals.

The system verifies whether the new password meets the strength requirements. Enter a password that meets the strength limit and click OK, as shown in the following figure.

If you enable Password Repetition Check (disabled by default), the password cannot be changed to one of the previous N passwords used before.

The Password Repetition Check function is described as follows.

• The N Value should be an integer between one and ten.

• The current password is not counted as a previously used password.

• If the admin reset users' passwords, these passwords will be counted as previously used passwords. Historical passwords will not be emptied after a reset.

• This function is supported on mobile terminals.

If Password Repetition Check is enabled and the new password triggers the repetition check, it will prompt "No historical password can be used." 

If you enable Forced Initial Password Change (disabled by default), you will be prompted to change the password at the first login after password initialization or reset. 

Note:

This function is supported on mobile terminals.

If the initial password is used for login, the prompt is as follows.

If the correct username and the password entered on the login page trigger rules like Forbid Repeated Login with Same Account in Single Login, Regular Password Update, Password Strength Limit, and Forced Initial Password Change, you will be forced to change the password.

If you enable Password Change Authentication Method, you have to pass the authentication through SMS or Email before changing passwords on the login page.

The Password Change Authentication Method function is described as follows.

• If both two authentication methods are enabled and both the mobile phone number and the mailbox are bound to the username, SMS is used by default.

• If your login triggers the password change, only after passing the authentication through the selected method can you change the password and log in to the system successfully.

• There is no authentication when you change the password at Account Setting.

• Only SMS authentication is supported on mobile terminals.

SMS Authentication 

Binding Mobile Phone Number to Username

Click Account Setting and Bind, enter the mobile phone number, click OK, and click Complete. 

Note:

1. Support the input of mobile phone numbers in mainland China, Taiwan (China), Hong Kong (China), Turkey, South Korea, Japan, Singapore, and Malaysia.

2. For countries and regions such as Taiwan (China), South Korea, Japan, and Malaysia, there is no need to add the number 0 before the phone number or after the area code.

Enabling SMS Authentication

Note:

To enable SMS authentication (disabled by default), you need first enable the SMS function and bind your mobile phone number.

Enable SMS authentication, as shown in the following figure.

Authentication

Email Authentication 

Click Account Setting and Bind, enter the email, click Obtain Verification Code, enter the verification code, click OK, and click Complete. 

Enabling Email Authentication

Note:

To enable Email authentication (disabled by default), you need first enable the Email function and bind your mailbox.

Enable Email authentication, as shown in the following figure.

Authentication

If the correct username and the password entered on the login page trigger rules like Forbid Repeated Login with Same Account in Single Login, Regular Password Update, Password Strength Limit, and Forced Initial Password Change, you will be forced to change the password.

If Password Change Authentication Method is disabled, you need to enter your previous password for verification when changing the password.

1. You need to enter the correct previous password within five attempts. After you enter a wrong password for the first time, it prompts "Wrong password. The account will be locked after wrong passwords are entered for 4 more times."

2. If the previous password is entered incorrectly after five attempts:

• Common User

A prompt pops up, saying "You have input incorrect passwords for too many times. Re-try it in 15 minutes or contact the administrator."

You can wait 15 minutes and try again, or contact the super admin, who can change your password by referring to the Resetting Password section in User Modifying/Resetting Password. After that, you can log in to the system with the new password.

• Super Admin

A prompt pops up, saying "You have input incorrect passwords for too many times. Re-try it in 15 minutes."

You can wait 15 minutes and try again, or change your password by referring to the Resetting Password section in Admin Modifying/Resetting Password. After that, you can log in to the system with the new password.