Phocas has a new user documentation site. This site will be retired soon.

Set your Phocas site's password policy

Owned by Helen Gosper
Last updated: Oct 21, 2024 by Denise McGettigan
2 min read

If your site uses Phocas authentication (default), users and passwords are stored in the Phocas system and you can set a site-wide password policy that includes automatic expiry, length, character requirements, and so on.

The Phocas-managed password policy does not apply if you are using another way to authenticate Phocas users:

  • LDAP (Lightweight Directory Access Protocol): This authentication method can be configured during installation. User passwords take on AD (active directory) protocols.

  • SSO (single sign-on): This authentication method uses a trusted third-party identity provider (IdP) to allow users to sign in to Phocas with the same credentials they use for other applications.

In the Phocas menu, click Administration > Configuration. The Password Policy settings are at the top of the General tab.

image-20240717-235449.png

Set your required password policy:

  • Automatic expiry (days): The number of days a user’s password will remain valid before it expires, forcing the user to reset their password when they next attempt to sign in. An administrator can also reset passwords. Select the duration from the dropdown list.

  • Failed sign in attempts: The number of times a user can try to sign in to Phocas before they are locked out of their account. By default, this is two attempts. If this setting is left blank or set to 0, there’ll be no limit to the number of times a user can try to sign in. LDAP accounts are not subject to lockout. See how to unlock a user's account.

  • Minimum length: The minimum length of a password. By default, this is 8 characters.

  • Minimum uppercase letters, numbers, and special characters: The minimum number of uppercase letters, numeric characters, and/or special characters that users must have in their passwords. By default, these are all 0.

  • Password cannot be username: This checkbox is selected by default, which means that users can’t include their username in their passwords. Clear this checkbox if you want to allow users to include their usernames in their passwords (not recommended).

  • Prevent users from changing password: Select this checkbox to prevent users from changing their own password. If checked, non-administrators will not be able to change their password.

More about user passwords

Other tools and settings are available to help you manage user passwords; see the Manage user passwords page.