Password Requirements
For the Thru Portal & Machine User Passwords:
with MFA:
require 8 minimum characters
allow any password not known to be breached
at least 64 characters, more is better
without MFA:
require 12 minimum characters (Machine users as they cannot enable MFA)
allow any password not known to be breached
at least 64 characters, more is better
Breach DB Check : Password must not be found in breach DB applies to all portal and machine users.
The string 'Thru' cannot be included in your password.
Customer instance name cannot be included in your password.
"Your username cannot be included in your password.",
"Your password cannot contain 3 repeating characters."
"Your password cannot contain 3 consecutive characters."
Users can create passwords up to 256 characters in length.
All ASCII/Unicode characters are allowed, including emojis and spaces.
Stored passwords are hashed and salted, and never truncated.
Prospective passwords are compared against password breach databases and rejected if there’s a match.
Passwords do not expire.
Users are allowed 10 failed password attempts before being locked out of the service.
Passwords do not have hints.
Complexity requirements — like requiring special characters, numbers or uppercase letters — are not required.
Sequential passwords are permitted in Thru as long as they do not fail the requirements above.
You probably notice that some of these recommendations represent a departure from previous assumptions and standards.
For example, NIST has removed complexity requirements like special characters in passwords; this change was made in part because users find ways to circumvent stringent complexity requirements.
Instead of struggling to remember complex passwords and risking getting locked out, they may write their passwords down and leave them near physical computers or servers.
Or they simply recycle old passwords based on dictionary words by making minimal changes during password creation, such as incrementing a number at the end.
For portal users if the wrong credentials are provided they will be locked out and eventually banned.
Please see the amount of attempts and time duration below.
First 2 failed attempts have no built in delay
3 attempts, 1 minute lockout.
4 attempts, 2 minute lockout.
5 attempts, 3 minute lockout
6 attempts, 4 minute lockout
7 attempts, 5 minute lockout
8 attempts, 6 minute lockout
9 attempts, 7 minute lockout
10 attempts, the user will receive an error message “Too many failed login attempts. Account Disabled”.
The user is then banned from access, an instance administrator can unban the user or let the ban time run out.