Password & PIN Utility

To set password and PIN rules and restrictions, navigate to Password & PIN Utility in the Systems hub. Select Password to set the rules of admin accounts or PIN to set the rules for all other accounts.

To begin, set the minimum characters required for each password with the Minimum Length field and the maximum number of characters allowed in a password with the Maximum Length field. SONIS allows a minimum of 6 characters, and a maximum of 15, but the best practice is to use a minimum of 16 and a maximum of 30.

Next, set the Minimum Number of Special Characters (@%^&*=!?#~$+, etc.) and Minimum Number of Numbers that must be included in each created password. It's recommended that all institutions require at least one of each.

Set a Minimum Number of Uppercase Letters and a Minimum Number of Lowercase Letters for each password. By most standards, a strong password should have at least one of each.

The Number of Changes Before Reuse Permitted field controls when a user can recycle a previously used password. If the number is set to six, for example, the user would be required to create six unique passwords before reusing a previous password. Recommended best practice is a minimum of six unique passwords.

The Password Expiration Warning Days field sets the number of days before expiration that the user will be warned of their pending password expiration when they log into the system.

Use the Password Expiration Days field to set the number of days between when a password is created and when it expires. Generally, this number should be large enough to not be overly burdensome to the users but not so large that passwords stay in service for very long periods of time.

The requirements created in the previous steps along with any that have been set will automatically appear on the page when a SONIS user is prompted to change their password. The optional User Instructions and Admin User Instructions fields are used to display any additional text that the user will see when creating a new password. As the field names suggest, the Admin User Instructions will appear for Admin portal users regarding password rules or issues while the User Instructions are for users of the other portals and describe the PIN rules. The fields accept basic HTML tags.

Click Submit to save the requirements and instructions.

These instructions appear when the user is prompted to create a new password.

The instructions also appear on the User IDs page.

In addition to the password requirements and the user instructions, red error text appears on the screen when a user enters a password that does not meet the requirements. The text specifies which requirement has not been met.

To create a list of words and phrases that cannot be used when creating PINs and passwords, click the Forbidden Phrases button.

On the following page, click Add to add restricted words and phrases.

On the following page, type the forbidden word or phrase in the Forbidden Phrase field and check the Password and or PIN box to set which set of users the restriction should apply towards. These forbidden phrases should typically be words or phrases that could be easy for a hacker to guess. They could be generalized to the public at large or specific to the home institution. System administrators may wish to consult a list of commonly used passwords when constructing this list.

Click the Submit button to save the forbidden phrase.

Once forbidden phrases have been created, they will be displayed in a list on the Forbidden Phrase landing page. Check or uncheck the Password or PIN box to change where the rule applies. Check the Delete box to remove the phrase altogether. Click Submit to save the change.

Note that the Forbidden Phrases list only applies to password creation and does not prevent these words and phrases from being used elsewhere in the system.