New password enhancements

Posted under: New Features

In his article entitled “How to use Software as a Service securely”, author Phil Cox describes how SaaS providers need to better enforce password restrictions to aid in preventing unauthorized access to the application.

When we first launched VendorRisk.com, we had the following criteria in place that administrators could select when customizing their site:

• minimum password length (4 to 10 characters)
• minimum number of lower-case letters
• minimum number of upper-case letters
• minimum number of digits
• minimum number of symbols (! @ # $ % ^ & * ( ))

Phil mentioned two other restrictions that would help password security — requiring the user to change their password every XX days, and not allowing old passwords to be used again.

Both are excellent ideas, so we decided to implement both of them in a new version of the application pushed last week.  Admins can now select to require users to change their passwords every 30 days, 3 months, or 6 months, and whether or not users can re-use old passwords.