Password Policy

Description of the password policy.

The password policy is strictly enforced and is not designed to be downgraded. Passwords must comply with the following requirements.

For UKG Authentication, all password values are accepted during any administration workflow such as People Import and other integrations, the Data Import Tool, a user-interface password reset, or any use of the People API that creates and updates a password. The following password requirements apply only to user accounts when a user is resetting their own password by Forgot Password or when Require Password At Next Login is selected. Users are not forced to change their password unless Require Password At Next Login is set.

(Only for OpenAM authentication (legacy)) People Import integrations continue to run and import user accounts with the existing passwords, even if the passwords are shorter than the minimum number of characters. However, when passwords do not comply with the password policy, users are prompted to change the passwords to comply with the password policy when they log in for the first time even if Require Password At Next Login is not checked.

• A password must contain alphanumeric characters, at least 1 uppercase character, at least 1 lowercase character, and at least 1 special character (special characters include @ . _ + - ! # $ ' ^ ` ~) and be the Minimum length or longer.

  Example acceptable password: AYWzwmQX$Y4M3Dy (but don't use this example).

• Reuse Monitoring = The 24 previous passwords cannot be reused. You cannot turn off or edit this option.
• The password must not contain any of the following — User names, spaces, and words from the forbidden password list.

  Example forbidden passwords: MyUsername, password password, MyStrongPassword.

• Minimum length: The shortest acceptable password length.

  Minimum (default) = 8 characters.

  Maximum = 64 characters.

• Maximum consecutive identical characters = 4 (maximum and default) identical characters in a row that passwords can contain.

  Example forbidden passwords include the following: aaaaa, nnnnn, xxxxx, 00000, 66666, 99999.

• Maximum sequential letters or numbers = 3 (maximum and default) sequential letters or numbers that passwords can contain.

  Example forbidden passwords include the following: abcd, defg, wxyz, 1234, 5678.

• Expiration Frequency — The number of days after which passwords expire, and users must change their passwords.

  • Passwords do not expire with UKG Authentication, and you cannot edit this option.

  • (Only for OpenAM authentication) Value = 180 (maximum and default) or fewer days. You cannot turn off this option.

    Caution:

    (Only for OpenAM authentication) If a user account is used for system-to-system API calls — such as for integrations — password expiration can block API calls and prevent integrations from running. To avoid this, convert the user account to API Only User in People Information; see the Employee topic. Your FAP must have API-only user set to Allowed; see the Manager - Common Setup ACPs topic. Once the account is API-Only, it supports only API calls, and you cannot use it to log in from a browser or mobile app.

    UKG Authentication does not support new API-Only user accounts. Instead, use Client Management or ROPC with a non-API User since passwords don't expire.

• Account is locked out for inactivity — The number of days of inactivity before the system locks the account.

  On systems that are upgraded to UKG Authentication, user accounts are not locked, and you cannot activate or edit this option.

  Note: User accounts that use Federated Authentication are not locked out because of inactivity. For more information about the types of authentication, see the Authentication topic.

  (Only for OpenAM authentication) You cannot turn off this option but you can edit the following:

  • Inactive existing user accounts = 180 (maximum and default) or fewer days.
  • First-time login = 30 (maximum and default) or fewer days.
    Note: To avoid locking accounts during setup, set the User Account Status to the effective, active date of the accounts.