Password Complexity
This page describes the password complexity requirements in xAssets for database-authenticated users. Password complexity rules ensure that user passwords meet a minimum security standard, reducing the risk of brute-force attacks and credential compromise.
Note: Password complexity settings apply only to database authentication. If your organisation uses Single Sign-On (SSO) or Windows Authentication, password policies are managed by your identity provider or Active Directory, not by xAssets. See the Single Sign-On chapter for details.
Prerequisites
- Administrator access to xAssets
- Understanding of your organisation's password policy requirements
Default Password Requirements
xAssets enforces the following password requirements for database-authenticated users:
| Requirement | Default Value |
|---|---|
| Minimum length | 14 characters |
| Uppercase letters | At least one required |
| Lowercase letters | At least one required |
| Numeric digits | At least one required |
| Special characters | At least one required (e.g., !@#$%^&*()_+-=[]{} and similar) |
These requirements are enforced whenever a password is set or changed -- both by administrators setting passwords for users and by users changing their own passwords.
How Enforcement Works
Password complexity is checked at the following points:
- User creation -- when an administrator creates a new user with a database password.
- Password change by administrator -- when an administrator resets a user's password.
- Password change by user -- when a user changes their own password through the user interface.
- Password reset -- when a user resets their password via the email-based reset workflow (see Password Reset).
If the new password does not meet the complexity requirements, the system displays an error message specifying which requirements were not satisfied. The password is not changed until a compliant password is provided.
Configuring Password Complexity
Password complexity settings are managed through the xAssets settings:
- Navigate to Admin > Settings.
- Search for password-related settings.
- Adjust the values as needed for your organisation's security policy.
Tip: The 14-character minimum is based on current security best practices. Shorter passwords are significantly easier to crack through brute-force or dictionary attacks. Consider this the minimum -- longer passwords are always more secure.
Password Strength Guidance for Users
When communicating password requirements to users, recommend the following approaches:
| Approach | Example | Notes |
|---|---|---|
| Passphrase | Correct-Horse-Battery-7! |
Four or more words with separators and a number. Easy to remember, hard to crack. |
| Modified phrase | MyD0g$nameIsMax2024! |
A sentence with character substitutions. Memorable but complex. |
| Password manager | (generated by manager) | Random characters of 16+ length. Most secure but requires a password manager tool. |
Warning: Discourage users from using the same password for xAssets as for other systems. If one system is compromised, all systems sharing that password are at risk.
Common Password Rejection Reasons
When a user's password is rejected, the system indicates which requirements were not met:
| Error | Meaning | Fix |
|---|---|---|
| Password too short | Fewer than 14 characters | Add more characters to reach the minimum length |
| Missing uppercase letter | No uppercase letter (A-Z) found | Add at least one uppercase letter |
| Missing lowercase letter | No lowercase letter (a-z) found | Add at least one lowercase letter |
| Missing digit | No numeric digit (0-9) found | Add at least one number |
| Missing special character | No special character found | Add a symbol such as !, @, #, $, or % |
Password Expiry
Note: Modern security guidance (NIST SP 800-63B) recommends against forced periodic password changes, as they often lead to weaker passwords. Instead, focus on strong initial passwords, MFA, and requiring a password change only when a compromise is suspected.
Integration with Other Security Controls
Password complexity is one layer in a multi-layered security approach:
| Control | Purpose |
|---|---|
| Password complexity | Ensures passwords are resistant to brute-force attacks |
| Multi-factor authentication | Adds a second factor beyond the password (see MFA) |
| Account lockout | Prevents repeated login attempts after consecutive failures |
| IP address lockdown | Restricts access by network location (see IP Address Lockdown) |
| User logon history | Monitors login patterns for anomalies (see User Logon History) |
Related Articles
- Password Reset -- email-based password reset workflow
- Users -- creating and managing user accounts
- Multi-factor Authentication -- adding MFA for additional security
- Securing the Web Server -- choosing authentication methods
- Settings -- where password settings are configured