Password Policies (Pro)

Overview

Password Policies in Attributes User Access Pro enforce strong password requirements, expiration rules, and complexity standards to protect user accounts and meet compliance requirements.

Why Use Password Policies?

Security Benefits

Accessing Password Policy Settings

Navigate to settings:

WordPress Admin → Settings → Attributes User Access → Security → Password Policies

Password Complexity Requirements

Minimum Length

Configuration:

Minimum Password Length: [12] characters

Recommended lengths by security level:

Character Type Requirements

Available options:

☐ Require uppercase letters (A-Z)

☐ Require lowercase letters (a-z)

☐ Require numbers (0-9)

☐ Require special characters (!@#$%^&*)

☐ Block common passwords

☐ Block dictionary words

Example Password Configurations

Standard Business

✓ Minimum 12 characters

✓ Uppercase required

✓ Lowercase required

✓ Numbers required

✓ Special characters required

Example: MySecure2025Pass!

High Security (Healthcare/Finance)

✓ Minimum 16 characters

✓ All character types required

✓ Block common passwords

✓ Block dictionary words

✓ Password expiration: 90 days

Example: MyH0spit@l2025Secure!

User-Friendly (Basic Protection)

✓ Minimum 10 characters

✓ Uppercase required

✓ Numbers required

Special characters optional

Example: MyPassword2025

Password Expiration Rules

Force Regular Password Changes

Configuration:

Password Expiration: [90] days

Warning Period: [14] days

Grace Period: [7] days

How Expiration Works

Timeline:

Days 1-76:

Password valid, no warnings

User logs in normally

Days 77-90 (Warning Period):

User sees warning on login:

“Your password will expire in X days”

Can still log in

Prompted to change password

Days 91-97 (Grace Period):

“Your password has expired”

Can log in but forced to change password

Redirected to password change page

Day 98+ (Hard Expiration):

Cannot log in

Must contact administrator

Password reset required

Expiration Email Notifications

Automatic emails sent:

• 14 days before: “Password expires soon”

• 7 days before: “Password expires in 1 week”

• 1 day before: “Password expires tomorrow”

• On expiration: “Password has expired”

• After grace period: “Account locked”

Recommended Expiration Periods

Password History Settings

Prevent Password Reuse

Configuration:

Remember Last: [5] passwords

How it works:

• System stores hashed versions of previous passwords

• User cannot reuse any stored passwords

• Encourages creating new, unique passwords

• Prevents password cycling (changing back and forth)

Example Scenario

User’s password history:

• OldPassword2023! (oldest)

• MySecure2024Pass

• NewPassword2024!

• UpdatedPass2025

• CurrentP@ss2025 (current)

❌ Cannot reuse any of these 5 passwords

✅ Must create completely new password

Recommended History Sizes

Low security: 3 passwords

Standard business: 5 passwords

High security: 10 passwords

HIPAA/PCI compliance: 12+ passwords

Password Strength Meter

Real-Time Visual Feedback

Strength levels:

Weak ●○○○○ – Add more characters

Fair ●●○○○ – Add uppercase/numbers

Good ●●●○○ – Add special characters

Strong ●●●●○ – Excellent!

Very Strong ●●●●● – Outstanding security!

Configuration Options

Display settings:

☑ Show strength meter

☑ Show strength text

☑ Block weak passwords

☑ Require “Good” or better

Color coding:

Weak: Red (#dc3545)

Fair: Orange (#fd7e14)

Good: Yellow (#ffc107)

Strong: Light Green (#28a745)

Very Strong: Dark Green (#155724)

Compliance Templates

Pre-Configured Standards

Available templates:

• HIPAA Compliance

• SOC 2 Compliance

• ISO 27001 Compliance

• PCI-DSS Compliance

HIPAA Compliance Template

Health Insurance Portability and Accountability Act

Minimum Length: 12 characters
Character Requirements: All types required
Password Expiration: 90 days
Password History: 10 passwords
Account Lockout: 5 attempts
Session Timeout: 15 minutes
2FA: Required for administrative access

To apply:

• Go to Password Policies

• Click “Load Template”

• Select “HIPAA Compliance”

• Review settings

• Click “Apply Template”

• Save changes

SOC 2 Compliance Template

Service Organization Control 2

Minimum Length: 14 characters
Character Requirements: All types required
Password Expiration: 90 days
Password History: 12 passwords
Account Lockout: 3 attempts
Session Timeout: 30 minutes
2FA: Required for privileged users
Audit Logging: Comprehensive

PCI-DSS Compliance Template

Payment Card Industry Data Security Standard

Minimum Length: 12 characters
Character Requirements: All types required
Password Expiration: 90 days
Password History: 4 passwords
Account Lockout: 6 attempts
Inactivity Timeout: 15 minutes
2FA: Required for all access

ISO 27001 Compliance Template

Information Security Management

Minimum Length: 12 characters
Character Requirements: All types required
Password Expiration: 90 days
Password History: 8 passwords
Account Lockout: 5 attempts
Session Timeout: 20 minutes
2FA: Required for admin accounts
Regular Security Audits: Enabled

Implementation Strategy

Gradual Rollout Approach

Phase 1: Soft Launch (Week 1-2)

Enable password strength meter

Show recommendations

Don’t enforce requirements yet

Gather user feedback

Educate users

Phase 2: Warning Period (Week 3-4)

Display policy requirements

Show compliance status

Send notification emails

Allow grace period

Provide support resources

Phase 3: Full Enforcement (Week 5+)

Enforce all requirements

Block non-compliant passwords

Require password changes

Monitor compliance

Provide ongoing support

User Communication

Announcement Email Template

Subject: Important: New Password Requirements Effective [Date]

Dear [User Name],

To enhance the security of your account, we’re implementing

new password requirements starting [Date].

New Password Requirements:

✓ Minimum 12 characters

✓ At least one uppercase letter (A-Z)

✓ At least one lowercase letter (a-z)

✓ At least one number (0-9)

✓ At least one special character (!@#$%^&*)

What You Need to Do:

• Log in to your account by [Date]

• Go to Profile → Change Password

• Create a new password meeting these requirements

• Save your new password securely

Why This Change?

These requirements protect your account from unauthorized

access and help us meet security compliance standards.

Need Help?

• FAQ: [link]

• Video Tutorial: [link]

• Contact Support: [email/phone]

Thank you for helping us keep your account secure!

Best regards,

[Your Organization] Security Team

Best Practices

For Administrators

For Users

Creating Strong Passwords:

Good strategies:

✓ Use passphrases: “MyDog Loves2Run inPark!”

✓ Substitute characters: “@” for “a”, “3” for “e”

✓ Combine random words: “Purple-Elephant-47-Moon”

✓ Use password manager to generate

Bad strategies:

❌ Simple substitutions: “P@ssw0rd”

❌ Sequential characters: “Abcd1234!”

❌ Personal information: “JohnSmith1980”

❌ Common patterns: “Qwerty123!”

Troubleshooting

Users Cannot Meet Requirements

High Support Ticket Volume

Password Expiration Causing Lockouts