Home Knowledge Base Administrator Global settings Settings Password Rules (Sysadmin

Settings Password Rules (Sysadmin

TABLE OF CONTENTS

This article describes the password rules that apply to accounts logging in with an itslearning username and password, and how sysadmins can configure them under Edit global settings.


1 Overview

The Set password rules setting controls the password policy for the whole site. It defines how complex passwords must be, how long they remain valid, and whether previously used passwords can be reused.

Note: These settings only apply to accounts that log in with an itslearning username and password. They do not affect users who log in through an external identity provider, where the password policy is managed externally.

The default setting in itslearning is strong password complexity, and this is the recommended level. Admins can choose a lower level of complexity if that is preferred by the educational organisation.

Important: Reducing the complexity of password settings affects the security of all users on the site, regardless of their profile. Be especially careful if local admins do not have 2-factor authentication enabled, as 2FA is mandatory for system admins but not for local admins.


2 Password complexity levels

LevelRequirements
LowAt least 7 characters. No requirement for obligatory character types.
MediumAt least 10 characters, including lowercase, uppercase and number(s).
Strong (default, recommended)At least 13 characters, including lowercase, uppercase, number(s) and special character(s).

3 Accessing password rules

Admin setting: Admin > Edit global settings > Features and security > Set password rules

Set password rules screen showing password complexity, expiry and login rule settings


4 Additional password settings

The following settings are also configured on the same page:

SettingDescription
Minimum password lengthFor the selected complexity level, the minimum allowed value is 7 characters.
Previous password reuseSets the number of previous passwords that cannot be reused (1–24).
Maximum password validitySets the maximum time a password is valid, in days. A value of 0 means the password never expires.
Expiry warningSets how many days before expiry a warning message is displayed to the user. [VERIFY: default number of days]

5 Requiring a password change on next login

Admins can require that all users change their password after their next login.

Note: If this option is enabled, it is also set automatically for individual accounts under Admin > User and access rights > User account > Password > Must change password on next login.