Skip to main content
Skip table of contents

Password Requirements

For the Thru Portal & Machine User Passwords:

  • with MFA:

    • require 8 minimum characters

    • allow any password not known to be breached

    • at least 64 characters, more is better

  • without MFA:

    • require 12 minimum characters

    • allow any password not known to be breached

    • at least 64 characters, more is better

The string 'Thru' cannot be included in your password.

Customer instance name cannot be included in your password.

"Your username cannot be included in your password.",

"Your password cannot contain 3 repeating characters."

"Your password cannot contain 3 consecutive characters."

Users can create passwords up to 256 characters in length.

All ASCII/Unicode characters are allowed, including emojis and spaces.

Stored passwords are hashed and salted, and never truncated.

Prospective passwords are compared against password breach databases and rejected if there’s a match.

Passwords do not expire.

Users are allowed 10 failed password attempts before being locked out of the service.

Passwords do not have hints.

Complexity requirements — like requiring special characters, numbers or uppercase letters — are not required.

You probably notice that some of these recommendations represent a departure from previous assumptions and standards.

For example, NIST has removed complexity requirements like special characters in passwords; this change was made in part because users find ways to circumvent stringent complexity requirements.

Instead of struggling to remember complex passwords and risking getting locked out, they may write their passwords down and leave them near physical computers or servers.

Or they simply recycle old passwords based on dictionary words by making minimal changes during password creation, such as incrementing a number at the end.

For portal users if the wrong credentials are provided they will be locked out and eventually banned.

Please see the amount of attempts and time duration below.

First 2 failed attempts have no built in delay

  • 3 attempts, 1 minute lockout.

  • 4 attempts, 2 minute lockout.

  • 5 attempts, 3 minute lockout

  • 6 attempts, 4 minute lockout

  • 7 attempts, 5 minute lockout

  • 8 attempts, 6 minute lockout

  • 9 attempts, 7 minute lockout


10 attempts, the user will receive an error message “Too many failed login attempts. Account Disabled”.


The user is then banned from access, an instance administrator can unban the user or let the ban time run out.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.