Introduction
Docebo’s password policy ensures maximum security to protect your platform's privacy. This article will outline how to manage your platform’s policy as a Superadmin.
Managing the password policy
As the Superadmin, you can apply a specific password policy to better fit your company's needs. Begin by accessing the Admin Menu by clicking on the gear icon in the top right corner of your platform. Then, press the Advanced Settings item in the Settings section. Once in the Advanced Settings menu, select the Password tab from the tab menu.
In the Options menu, set if you want to enforce the following options:
- Password must include both letters and numbers. Users will receive an error message if they try to create a password with only letters or numbers. Additionally, they will receive an error message if they use three consecutive letters or three consecutive numbers.
- Password must be different from the username. Users will receive an error message if they try to create a password that matches their usernames.
- Enable option in User Management to "Force users to change their password at their first login" by default upon user creation. Users who self-registered on the platform will be prompted to change their passwords after they first log into the platform.
- Password dictionary check. If you enable this option, when a user tries to set a password that is a common English word, without any numbers or symbols (for example, "password"), then the dictionary check will prevent them from using it. This option applies to users and Power Users with permissions on users management, but does not apply to Superadmins when they edit the users' passwords from the User Management.
Use the corresponding text box to type in the minimum number of characters required for a valid password. The default minimum number of characters is 6, but this can be changed, as desired.
Type in the maximum number of days for which the password will be valid. When this value is set to 0 (zero), the password will be valid for an unlimited number of days.
As an option, you can force the user to choose a password different from the last number of previously-used passwords using the Ask the user to choose a password different from the last X used passwords option (for example, a user cannot use a password that was within the last three passwords they used). When this field has no value, the platform won’t perform any checks on the previously used passwords. The accepted values for this option are 1 to 10.
Now, move to the Users tab of the Advanced Settings menu. Activate the Automatically Calculate Password option in the Options section to enable the platform to automatically generate a password for users, upon creation. When this option is selected, passwords are automatically generated both for users manually created, and for users created via API. The password will not be regenerated when users are updated.
Set the Maximum number of consecutively failed sign in attempts in the corresponding section. The default value for this parameter is 0 (zero), which allows your users an unlimited number of login attempts.
- For security reasons it is strongly recommended to set a nonzero value in this field.
- When the maximum number of failed attempts is reached, all subsequent sign-in attempts will be blocked for 10 minutes. The block applies to the IP address from which the sign-in to the system was attempted.
Accessibility hint: Consider setting this parameter to 1 only when it is strictly necessary. Having no opportunity to retype the password more than one time can be a great disadvantage for some users. Learn more on accessibility in your platform.
Once a user is logged into the system, they always have the option to reset their passwords.
Please note! If you are creating users via API as the Superadmin, none of the configurations that you set in the Advanced Settings menu related to the password policy will be applied to the users created via API.
Changing a user’s password
As the Superadmin, you can manually change a user’s password, you can do so from the User Management page in your platform. Access your platform as the Superadmin, then access the Admin Menu from the gear icon in the top right corner. Press the Users item in the E-Learning section.
Find the user in the list of users on the bottom half of this page, click the ellipsis menu at the end of the user’s row, then select Edit item in the dropdown menu.
In the slide-out panel, type in the new password into the corresponding text box, then retype it into the text field next to it. You need to confirm that all mandatory fields (marked with asterisks) are filled out as well. When you’re finished, press Update. The user must use the new password upon the next log into the platform.
Password restrictions
There are a few password restriction policies that are forcibly applied across all Docebo platforms. These policies cannot be changed. Passwords cannot contain:
- Only sequences or repeated characters (12345678, 22222222, abcdefg)
- Adjacent key placement (qwerty, asdfgh)
Best practices
- To ensure your platform’s security, Docebo’s Help Desk team cannot change the password of Superadmins. As a Superadmin, you can change your password as any other user, as described in the dedicated article of the Knowledge Base.
- If more users share the same email address, the password reset email will be sent to only one of the users associated with the email address. To avoid this make sure not to create multiple users in your platform using the same email address.