Enforcing restrictions on passwords
By default, the password management policy uses workflow to enforce Health Insurance Portability and Accountability Act (HIPAA) rules for new passwords. You can use the default restrictions, add restrictions, or disable the default restrictions and use your own.
The HIPAA rules include the following restrictions:
- Blank passwords are not allowed.
- The password cannot match the login name.
- The user cannot use the old password when changing the password.
- The password cannot be a dictionary word, which is achieved by the following rules:
- Must be a minimum of eight alphanumeric characters
- Must include at least one uppercase alphabetic character
- Must include at least one lowercase alphabetic character
- Must include at least one non-alphanumeric (special) character
Other restrictions include the following:
- The administrator must be able to change the password at any time.
- Users (except for the administrator and the password's user) cannot change the password. This is accomplished through the Dynamic Group Access field (ID 60988) on the User form.
- The account is disabled if the user does not change the password after the number of days specified in the Days after force change until disablement field in the User Password Management Configuration form.
For more information, see: