Settings Password Rules (Sysadmin
TABLE OF CONTENTS
- 1 Overview
- 2 Password complexity levels
- 3 Accessing password rules
- 4 Additional password settings
- 5 Requiring a password change on next login
This article describes the password rules that apply to accounts logging in with an itslearning username and password, and how sysadmins can configure them under Edit global settings.
1 Overview
The Set password rules setting controls the password policy for the whole site. It defines how complex passwords must be, how long they remain valid, and whether previously used passwords can be reused.
Note: These settings only apply to accounts that log in with an itslearning username and password. They do not affect users who log in through an external identity provider, where the password policy is managed externally.
The default setting in itslearning is strong password complexity, and this is the recommended level. Admins can choose a lower level of complexity if that is preferred by the educational organisation.
Important: Reducing the complexity of password settings affects the security of all users on the site, regardless of their profile. Be especially careful if local admins do not have 2-factor authentication enabled, as 2FA is mandatory for system admins but not for local admins.
2 Password complexity levels
| Level | Requirements |
|---|---|
| Low | At least 7 characters. No requirement for obligatory character types. |
| Medium | At least 10 characters, including lowercase, uppercase and number(s). |
| Strong (default, recommended) | At least 13 characters, including lowercase, uppercase, number(s) and special character(s). |
3 Accessing password rules
Admin setting: Admin > Edit global settings > Features and security > Set password rules
4 Additional password settings
The following settings are also configured on the same page:
| Setting | Description |
|---|---|
| Minimum password length | For the selected complexity level, the minimum allowed value is 7 characters. |
| Previous password reuse | Sets the number of previous passwords that cannot be reused (1–24). |
| Maximum password validity | Sets the maximum time a password is valid, in days. A value of 0 means the password never expires. |
| Expiry warning | Sets how many days before expiry a warning message is displayed to the user. [VERIFY: default number of days] |
5 Requiring a password change on next login
Admins can require that all users change their password after their next login.
Note: If this option is enabled, it is also set automatically for individual accounts under Admin > User and access rights > User account > Password > Must change password on next login.