Users and Password Policy

A robust users and password policy is essential to ensure the security of the system by controlling access and maintaining the integrity of user accounts.

The following guidelines outline the key requirements for managing users and passwords within the system:

Password Creation

  1. Enforce strong password creation policies.

    • Minimum length: 8 characters
    • Complexity: Must include uppercase letters, lowercase letters, numbers, and special characters.

  2. Prohibit the use of common passwords and passwords from known data breaches.

  3. Employ mechanisms to prevent the reuse of previous passwords such as, history of 5 previous passwords.

Password Protection

Use multi-factor authentication (MFA) to provide an additional layer of security.

Password Change Requirements

  1. Require users to change their passwords at regular intervals, for example, every 90 days.

  2. Force password changes immediately if a compromise or suspicion of compromise is detected.

  3. Provide mechanisms for users to securely reset their passwords.

Account Lockout Policies

  1. ESA is configured with account lockout after 3 unsuccessful login attempts.

  2. If an external account manager is used:

    • Implement account lockout after a specified number of failed login attempts, for example, locking out after 3 unsuccessful attempts.

    • Define a lockout duration or require administrative intervention to unlock accounts.

    For more information about password policy for appliance users, refer Password Policy for all appliance users.


Last modified : July 30, 2025