Password Policies#
Password policies define the rules that user passwords must satisfy when they are created, changed, or rotated. A strong password policy is one of the simplest and most effective ways to protect accounts from credential-based attacks.
Default Policy#
All Novaza workspaces start with a sensible default policy:
- Minimum length: 10 characters
- At least one letter and one digit
- Cannot match the user’s email address
- Cannot be one of the user’s last 5 passwords
- Expires every 180 days
Administrators can tighten (but not loosen) the default on Professional and Enterprise plans.
Configurable Rules#
| Rule | Description |
|---|---|
| Minimum length | Reject passwords shorter than N characters |
| Character classes | Require any combination of lowercase, uppercase, digits, symbols |
| Dictionary check | Reject passwords found in common-breach lists |
| History | Prevent reuse of the last N passwords |
| Expiry | Force password change after N days |
| Lockout | Lock the account after N failed attempts within a time window |
Password Reset#
Users who forget their password can request a reset link from the login page. The link is sent to the user’s verified email address and expires after 60 minutes. Reset links can be used only once.
Administrators can also trigger a forced password reset for any user from the user detail page — the next time the user logs in, they will be required to choose a new password before continuing.
Service Accounts#
Service accounts and API users do not use passwords. They authenticate with long-lived API keys or short-lived OAuth tokens and are exempt from password policies.
Recommendations#
- Prefer SSO over passwords whenever possible — external identity providers usually enforce stronger controls
- Enable MFA for every user — a strong password alone is not sufficient
- Review the audit log periodically for failed login patterns