1. Authentication

Configuring custom password security

Overview

The enhanced password security feature provides granular control over password requirements. This guide covers:

  • Configuration options
  • Implementation steps
  • Security considerations

Password requirements

Minimum requirements

Effective June 1, 2021:

  • 10 character minimum length
  • One uppercase character (A-Z)
  • One lowercase character (a-z)
  • One digit (0-9)
  • 10 failed attempts before 2-minute lockout

Custom configuration options

Custom requirements must include:

  1. Minimum length: 10 characters
  2. Three of the following:
    • Uppercase character (A-Z)
    • Lowercase character (a-z)
    • Digit (0-9)
    • Special character (!@#$%^&*)

Default lockout policy:

  • 10 failed attempts
  • 2-minute lockout period

Configuration properties

The security profile PasswordConfig object includes:

Basic requirements

  • MinimumCharacterCount (int): Password length
  • NumericRequired (bool): Digit requirement
  • SpecialCharacterRequired (bool): Special character requirement
  • LowerCaseRequired (bool): Lowercase requirement
  • UpperCaseRequired (bool): Uppercase requirement

Security controls

  • AllowedFailedAttempts (int?): Attempts before lockout (1-9)
  • LockoutDuration (int?): Lockout minutes (10-1440)
  • Manual unlock endpoints:
    • POST v1/buyers/{buyerID}/users/{userID}/unlock
    • POST v1/adminusers/{userID}/unlock
    • POST v1/suppliers/{supplierID}/users/{userID}/unlock

Password management

  • MaximumPasswordAge (int?): Days until required change (1-365)
  • MinimumPasswordAge (int?): Minutes between changes (0-60)
  • LimitPasswordReuse (int?): Previous password block count
  • MaxConsecutiveDupeChars (int?): Repeating character limit (0-24)

Implementation example

Security profile creation

http
POST v1/securityprofiles HTTP/1.1
Content-Type: application/json
json
{
  "ID": "password-config",
  "Name": "Password Config Profile",
  "Roles": [],
  "CustomRoles": [],
  "PasswordConfig": {
    "MinimumCharacterCount": 10,
    "NumericRequired": true,
    "UpperCaseRequired": true,
    "SpecialCharacterRequired": true
  }
}

Error handling

Authentication error response:

json
{
  "error": "invalid_grant",
  "error_description": "Password does not meet security requirements.",
  "Errors": [
    {
      "ErrorCode": "PasswordReset.InsecurePassword",
      "Message": "Password does not meet security requirements.",
      "Data": {
        "MinimumCharacterCount": 10,
        "UpperCaseRequired": true,
        "SpecialCharacterRequired": true,
        "NumericRequired": true
      }
    }
  ]
}

Implementation notes:

  1. Display requirements to users
  2. Direct to password reset flow
  3. Handle reset verification errors
  4. Support multiple profile configurations

Profile management

Configuration options

  1. Dedicated profile:

    • No roles assigned
    • Organization-wide assignment
    • Password configuration only

  2. Integrated profile:

    • Update existing profiles
    • Use PATCH v1/securityprofiles/{securityprofileID}
    • Combine roles and password rules

Multiple profile handling

Example profile configurations:

SecurityProfile1:

json
{
  "PasswordConfig": {
    "MinimumCharacterCount": 10,
    "MaxConsecutiveDupeChars": 1
  }
}

SecurityProfile2:

json
{
  "PasswordConfig": {
    "MinimumCharacterCount": 12,
    "MaxConsecutiveDupeChars": 3
  }
}

Combined result (most restrictive):

json
{
  "PasswordConfig": {
    "MinimumCharacterCount": 12,
    "MaxConsecutiveDupeChars": 1
  }
}

Implementation considerations

  1. Default requirements:

    • Platform minimums override weaker settings
    • Automatic enforcement after June 1, 2021

  2. Multiple profiles:

    • Configurations combine automatically
    • Strictest rules apply
    • Consider organizational impact
If you have suggestions for improving this article, let us know!