Password policy - FAQs
As part of a companywide effort in enhancing overall security, we are rolling out a new password policy which will be implemented on Dec 10, 2022. You can proactively implement the new password policy before the due date. However, irrespective of whether you proactively implement it before the due date or not, the new password policy will be implemented on Dec 10, 2022.
We have compiled a list of questions and answers that are pertinent to this scenario.
1. Will the users be locked out if they are out of compliance?
Users will not be locked out if there is no compliance. The user can still log in until the time the user changes the password themselves. Then, the user will be prompted to add a strong password until they meet all its parameters.
2. Will the user account be locked if they do not reset their password and keep using SSO?
If you are using SSO, you can continue to use BMS. It will not ask for a new password.
3. If users are logged in via SSO, will they also be prompted for this reset, and cannot go anywhere else until it is done, like the MFA enforcement?
No, they won't be.
4. Why are you enforcing the new password policy? Was there a security breach?
No, the password policy is being enforced as an enhanced security measure and as a deterrent against possible security breaches.
5. Why didn’t I receive any email notification on the new password policy?
An in-app notification informing all users of the upcoming change was sent if you signed into BMS between November 7, 2022 and December 5, 2022.
This was also communicated through the BMS monthly newsletter which was sent around November 28th. However, only members subscribed to our marketing newsletter would have received this communication.
6. Can this policy can be excluded for specific user(s)?
No, this policy cannot exclude any users.
7. Is this something that we need to activate and go through, or will this just happen on the 10th?
It is highly recommended that you act from your side. If not, the options will be enforced on Dec 10th except for the password rotation option.
8. Will users get a password reset email on Dec 10th? Will this send a password reset to everyone or to those who are not in compliance with this update?
No, users will not get any password reset email on Dec 10th. If the admin of the system enables password rotation, a notification will be sent to everyone who did not change their password recently.
9. Can the recurrence rate of the notification to change the password be set by admins?
No, the recurrence rate of the notification to change the password cannot be set by admins.
10. Does the new password policy affect API users too?
Yes, it does.