Password Policy
Password policies help you define the structure and complexity of passwords to be used by an organization. The policy is created in such a way that the users are directed to create more secure passwords which safeguard the integrity of data from unauthorized access.
Below guidelines will allow you to create a strong password.
- A strong password must be at least 8 characters long.
- It should not contain any of your personal information - specifically your real name, user name, or even your company name.
- It must be very unique from your previously used passwords.
- It should not contain any word spelled
- It should contain characters from the four primary categories, including uppercase letters, lowercase letters, numbers, and characters.
The following password standards are used by default, for all user/administrator
passwords within the OrangeHRM application.
Settings | Default |
Password Strength Calculation | Medium |
Minimum Number of Characters | 8 |
Password Expire After | 90 days |
Account lockout Threshold | 10 attempts |
Captcha Threshold | 3 attempts |
Account Unlock Period | 1 hour |
Note – Should your organization require you to use a simplified password, you may do so with a written request by the authorized signatory to amend the password policy above.
Password Strength Calculation Logic
The password strength is calculated by considering how much time it would computationally take to identify the password. The following table shows how the strength of a password is defined based on the time it takes to break the password.
Password Strength Color Codes
Within the system, when a user changes a password or adds a new password, the following color codes are shown to indicate the strength of the password.
The below image indicates guidelines when a user is creating the password.
Recommendations related to the password appear below the Strength validation. The help text is shown to assist the user in creating strong passwords. In the case above, the recommendation is "For a Strong Password, Please use a hard-to-guess combination of text with Upper and Lower case characters, symbols, and numbers.”
Password Examples
The following matrix shows some password examples and their strength levels. Using symbols, numbers, uncommon text, and a higher number of characters increases the password strength. Using common words or names with minor changes to letters being replaced by characters decreases password strength.
Password Type | Description |
Strongest |
A lengthy combination of more than 8 characters consisting of upper case, lower case, symbols, and numerical values, and also does not include any common words or capital / simple letter combinations. Ex: DP55W%u?tC!ftB& |
Strong |
A text combination of 8 or more characters that are required to include at least one upper case, lower case, symbol, and numerical value. This cannot include any word associations such as "Rvnn1ng = running, JvmP1ng =jumping, etc". Ex: bNq8y;aj |
Medium |
The 'Medium' password type Contains common words or names (Examples of common words: Jumping, running, bottle, etc. Examples of name: Peter, Ann, Texas, etc.) with a text combination that has more symbols and numerical values than the 'Better' password type. Ex: Tr0ub4dour&3 |
Better |
The 'Better' password type contains a common word/name (Examples of common words: Jumping, running, bottle, etc. Examples name: Peter, Ann, Texas, etc.)with a text combination that has slightly more symbols and numerical values than the 'Weak' password type. Ex: David@ffs |
Weak |
The 'Weak' password type contains a common word/name(Examples of common words: Jumping, running, bottle, etc. Examples name: Peter, Ann, Texas, etc.) with a text combination that has a very small amount of symbols and numerical values. Ex: qwertyui3h |
Very Weak |
The 'Very Weak' password type contains a simple common word/name (Examples of common words: Jumping, running, bottle, etc. Examples name: Peter, Ann, Texas, etc.) which has no upper case, lower case, symbols, or any numerical values. Ex: qwertyuiop |
Special Note: Make sure the "Enforce Required password strength" is set to Medium or higher level. If it is not set for the required level please contact goldsupport@orangehrm.com.
Current password strength calculation logic considers how much time it would take to crack the password when deciding the password strength.
Even if it meets all the requirements mentioned above, if the password represents a simple common word that contains some letters replaced by the names of the symbols, decreases the strength of the password.
Ex: P@$$w0rd123, Te$st02!
The "P@$$w0rd123" is a guessable word, as the word "Password" is quite common even though it contains symbols.
The system would identify such instances and would prompt an inline validation message as: "Your password meets the minimum requirements, but it could be guessable. Try a different password."