Docebo has introduced a new, more secure, password policy to enhance your platform’s security.
Some settings will be automatically applied to the new LMS but you will always be able to change some of the settings through the related options in the Admin – Advanced settings – Password tab.
In the new LMS, passwords must contain at least 6 characters. You can change this option by editing the value in the Password length, minimum number of characters field.
Passwords cannot solely contain sequences or repeated characters (i.e., 12345678, 222222, abcdefg) OR adjacent key placement (qwerty). The passwords cannot be COMMON password terms like ‘password’, ‘password123’, ‘changeme’, ‘admin’, ‘administrator’, etc. These policies are forcibly applied across all the platforms.
If the passwords are generated by the system, the user will be required to change it at first login. This option is used if you are synchronizing your users with a Salesforce Database, otherwise the system does not generate any passwords.
Please note that the users’ creation process through APIs is not affected by these rules.
Here you can find some suggestions and best practices to enhance the security of your LMS:
-Users must be required to change their password periodically (minimum 2 times per year). Manage this through the following option:
Allow users to reset their password through an automated system. Remember: once a user is logged in they will always have the option of changing their password by clicking on the menu icon.
If they are not logged in they can retrieve a forgotten password through the lost password link.
– Do not allow passwords that contain personal information (person’s name, birthday, passport number, userID, family name, pet, etc.).
– Passwords are not usually recognizable from a dictionary, i.e., password-cracking programs typically use words from a dictionary to guess a password. However, Docebo allows you to activate the Password dictionary check whereby the system performs a test using a collection of common passwords and English words.
– Block access to a user’s account after 10 failed password tries, with a warning note before the last attempt. Docebo allows you to set up a more restrictive policy by managing the number of attempts in this area: Admin – Advanced Settings – Users.
If the maximum number of failed attempts is reached, the user is blocked from accessing the system for one hour. Remember: there is not a way to manually reset the counter from the admin side.