Now Live: Mandatory Password Management Updates

Review informational webinar►
Join next week's Q&A forum►

As previously announced, we completed the release of several mandatory password management updates this week, October 12-13. As a reminder, these mandatory changes include:

1. Passwords cannot contain the user ID. 

2. Password reminders cannot contain the password.

3. New default values for password complexity*:

*NOTE: 

• We delayed the release that requires all users to reset their passwords every 90 days (Password Expiration field above). This will still be a future requirement. We'll provide an exact date closer to time but expect to release this requirement in February 2024. 
• Unless your selections already reflected the above values or a stricter option, your Login and Session Settings were updated to the selections pictured above (Tools tab > Manage Organization Properties). These settings are now the new minimums within each dropdown. 

#1 and #2: Password Regular Expression & Description

The Password Regular Expression field was removed and is now controlled by HealthStream, ensuring that all passwords:

• Are at least eight characters in length 
• Include a combination of uppercase & lowercase letters
• Contain at least one number
• Contain at least one symbol from this listing: !@#$%^&*()-

The Password Description field remains visible as a reminder of these requirements; however, you can no longer edit this field. NOTE: If your organization requires longer passwords and/or allows additional symbols, contact customer.service@healthstream.com to update your Password Expression and Description. 

#3 – #5: Password History Size, Login Lockout Attempts & Duration

Unless your selections already reflected the above values or a stricter option, your Login and Session Settings were updated to the selections pictured above (Tools tab > Manage Organization Properties). These settings are now the new minimums within each dropdown. Examples:

• Password History Size: 3 (password must be different from the last 3 passwords)
  You can choose 3, 4, or 5 for Password History Size, but we removed 1 and 2 as options.
   
• Login Lockout Attempts: 5 Failed Attempts (user is temporarily locked out after 5 failed attempts) 
  You can choose 5 or 3 Failed Attempts, but we removed No Lockout and 10 Failed Attempts as options.
   
• Login Lockout Duration: 5 Minutes (user is temporarily locked out for 5 minutes after exceeding the Login Lockout Attempts)
  All options remain available except No Lockout.

Impact on Existing Users with Passwords that No Longer Meet Requirements

Existing users with a password that doesn’t meet the new requirements above can continue logging in as normal. Going forward, when a(n) admin or student edits a password or password reminder, both fields must meet the new requirements in order to save. New on-screen messaging will ensure admins and students are both aware of the above complexity requirements when editing/saving a password. 

Impact on Import Processes

There is no immediate effect on import processes. For now, your organization's initial password doesn’t have to meet these new requirements. However, when users are prompted to change their password upon initial login, it must comply with the requirements above.

Impact on Single Sign-On (SSO | FSSO)

For users that access HealthStream via SSO or FSSO, there is no change to your existing processes and no action required on your part. However, the minimum requirements above do apply if admins or students bypass the SSO/FSSO process and log in with a HealthStream-specific user ID and password.