PASSWORDPOLICY - Detailed description

Overview

Parameters:PASSWORDPOLICY
Category: Login
Default value: All
Product: eTASK.Login

What does this parameter do?

PASSWORDPOLICY defines the complexity requirements for passwords that users must meet when creating or changing their password in the eTASK FM portal. The parameter specifies whether passwords must contain numbers, uppercase and lowercase letters, special characters, or combinations thereof. These rules apply only to passwords managed locally in the portal, not to domain logins.

What is this parameter used for?

• Increase password security: Enforces the use of complex passwords with different character types

• Meet compliance requirements: Enables the implementation of corporate or industry guidelines for password strength

• Hinder brute-force attacks: More complex passwords are harder to guess or crack via automated attacks

• User guidance: Shows users which requirements must be met when creating a password

• Flexible security levels: Allows security requirements to be tailored to the organization’s risk assessment

Technical Details (for Administrators)

Format: Comma-separated list of rules
Default value: All

Valid values:

• Digit = Password must contain at least one number (0-9)

• UpperCase = Password must contain at least one uppercase letter (A-Z)

• LowerCase = Password must contain at least one lowercase letter (a-z)

• MixedCase = Password must contain at least one uppercase or lowercase letter (short form for UpperCase,LowerCase)

• SpecialChar = Password must contain at least one special character (!§$%&/()=?*_:;-#+{}[])

• All = Password must comply with all of the above rules (short form for Digit,UpperCase,LowerCase,SpecialChar)

Important notes:

• Multiple rules can be combined by separating them with commas (e.g. Digit,UpperCase,LowerCase)

• The order of the rules does not matter

• Case sensitivity must be observed for rule names

• The rules apply only to locally managed passwords, not to Active Directory logins

• Invalid rule names are ignored

Interaction with other parameters:

• PASSWORDMINLENGTH: Defines the minimum password length (default: 8 characters)

• PASSWORDMAXLENGTH: Defines the maximum password length (default: 24 characters)

• PASSWORDINVALIDCHARS: Defines prohibited characters in passwords

• PASSWORDHISTORYLENGTH: Prevents the reuse of old passwords

• PASSWORDEXPIRATIONPERIODMONTH: Enforces regular password changes

When should you change this value?

Leave the value All (default value) if:

• The highest security requirements are desired

• Compliance requirements mandate all character types

• Sensitive data is managed in the system

• There are no specific reasons to relax the settings

• The default setting complies with company policies

Set the value to "Combination" (e.g., Digit,MixedCase) if:

• Special characters cause problems during input (e.g., international keyboards)

• A moderate security level is sufficient

• User acceptance needs to be increased through simpler rules

• Specific company policies require other combinations

Set the value to a single rule (e.g., Digit) if:

• Minimal complexity requirements are sufficient

• Internal test or development environments are in use

• Users rely exclusively on other security mechanisms (e.g., multi-factor authentication)

Important notes

1. For local passwords only
   This password policy applies exclusively to users who log in with passwords managed locally in the eTASK FM portal. Domain logins via Active Directory are subject to Active Directory policies and are not affected by this parameter.

2. User feedback during password creation
   When creating or changing a password, the system automatically displays the requirements that must be met. Users receive clear feedback if their password does not meet the requirements.

3. Combination with password length
   The complexity rules work in conjunction with the PASSWORDMINLENGTH and PASSWORDMAXLENGTH parameters. A very short password can be insecure even with the highest complexity. A minimum length of 8–12 characters is recommended in combination with the rule All.

4. Special characters can cause problems
   For international users or mobile devices, entering special characters can be difficult. In such cases, consider the rule Digit,MixedCase instead All.

5. Changes apply only to new passwords
   Existing passwords are not automatically checked against the new rules. Users must update their passwords only when they next change them.

Security

Does changing this parameter affect security?

Yes, this setting has a direct and significant impact on system security.

Positive aspects:

• Strong password policies (e.g., All) significantly increase security and make brute-force attacks more difficult

• Combining different character types makes passwords harder to guess

• Protection against simple, commonly used passwords (e.g., "password," "12345678")

• Compliance with security standards and data protection guidelines (e.g., ISO 27001, GDPR)

Note:

• Settings that are too lax (e.g., only Digit) offer only minimal protection and can lead to security vulnerabilities

• Settings that are too strict may prompt users to write down passwords or use predictable patterns (e.g., "Password1!")

• Password strength also depends on length—short passwords remain insecure even when all rules are followed

• Only local passwords are affected – domain users are subject to different policies

Data protection assessment:

• Strong password policies are a technical measure within the meaning of the GDPR (Art. 32)

• They protect personal data from unauthorized access

• In the event of data breaches, it can be demonstrated that appropriate security measures were in place

Recommendation: Use at least Digit,MixedCase for normal environments and All for systems containing sensitive data. Always combine password policies with other security measures such as password expiration (PASSWORDEXPIRATIONPERIODMONTH), password history (PASSWORDHISTORYLENGTH), and account lockout (LOCKOUTTHRESHOLD).

Practical example

Initial situation: A facility management company uses the default setting All. Some field staff complain that entering special characters on their tablets is cumbersome and leads to frequent input errors. The IT team wants to find a balanced solution between security and user-friendliness.

Configuration:

Parameter: PASSWORDPOLICY
Before: All
After: Digit,MixedCase

After the change:

• Passwords must still contain at least one digit

• Passwords must still contain uppercase and lowercase letters

• Special characters are no longer required

• Users can use passwords such as "Facility2026" or "Gebaeude42"

• Field staff can easily enter passwords on tablets

Result: User acceptance increases significantly, while the security level remains high. The combination of numbers and mixed uppercase and lowercase letters provides sufficient complexity for most use cases. The IT team documents the change in the security policy and instructs users to use at least 10 characters.

Alternative scenarios:

Scenario A – High-security sector:

• Bank or insurance company with strict compliance requirements

• PASSWORDPOLICY = All

• PASSWORDMINLENGTH = 12

• PASSWORDEXPIRATIONPERIODMONTH = 3

• Maximum security for highly sensitive data

Scenario B – Test environment:

• Internal development and testing environment without production data

• PASSWORDPOLICY = Digit

• PASSWORDMINLENGTH = 6

• Simplified login for developers, no sensitive data at risk

Recommended setting

For standard installations:All(highest security)

Reason:

• Maximum password security through a combination of all character types

• Meets most compliance and security standards

• Provides optimal protection against automated attacks

• Complies with best practices for password security

For moderate security requirements:Digit,MixedCase

• Good balance between security and user-friendliness

• Sufficient for most business applications

• Avoids issues with special character input on mobile devices

• Higher user acceptance

Not recommended: Individual rules such as Digit or only MixedCase

• Too low complexity for production systems

• Only acceptable for test or development environments

Tip: Always combine PASSWORDPOLICY with PASSWORDMINLENGTH (at least 8–12 characters) and PASSWORDHISTORYLENGTH (at least 5) for comprehensive password protection. Also consider using PASSWORDEXPIRATIONPERIODMONTH for regular password changes when dealing with sensitive data.