Having a password policy forces all users to adhere to your site's established 'character' and 'length' requirements when they set their account passwords.

Taking this one step further, you can also enable the password-strength feature for use with your site's users' passwords.

Password Strength in your community

Using the "password strength" feature enhances your password policy to better ensure that your users create passwords that not only meet your 'character' and 'length' requirements, but are also strong and secure.

EXAMPLE: The password, 1passWord!, meets the length and character requirements that have been configured for a site (image below). However, this password is considered weak because it could very easily be guessed by a malicious agent.

When you enable the password-strength validator, you can prevent users creating weak passwords.

Users "create" passwords in three scenarios.

• A new community user has to create an account password upon joining a community.
• An existing user might choose to change an account password.
• An existing user might have to reset an account password.

The process is, effectively, identical for all three scenarios. And password-strength validation is equally important in all three scenarios.

The validation

The validation functionality can be configured to work in either or both of the following ways.

When a user inputs a password in the New Password field, the system validates that input and:

• automatically rejects all new passwords that do not meet the "minimum strength" setting that is selected.
  • You must check the Enforce Minimum Strength box.
• displays a color-coded strength meter to users so they can see for themselves how strong their passwords are.
  • You must check the Show Password Strength Indicator box.

NOTE: These "validation" measures not only ensure the character requirements are met, they enforce "strength" as a requirement for new passwords.

Let's look at how to enable and configure password-strength requirements and validation in your community site.

Access the Password Strength page

To access the Password Strength page:

1. In the Admin Toolbar, click Admin.

2. Navigate to Settings > Security > Password Strength.

The Password Strength Settings page opens.

3. Check the Enabled box to enable the password strength functionality for your site and to display the configuration fields.

Refer to the table in the next section for guidance on how to configure password-strength validation.

Configure password-strength validation

1. Use the descriptions in the table to configure password-strength validation for your Higher Logic community site.

Setting	Description
Enabled	Check this box to enable the minimum-strength functionality as part of password-creation criteria and to display the other configuration fields. To disable the minimum-strength functionality, return here, uncheck this box, and click Save Settings. All of the functionality and features that are managed on this page are disabled across your site.
Enforce Minimum Strength	Check the box to automatically reject new passwords that do not meet the Minimum Strength setting (i.e., the default, Moderate, or the minimum that is set in the dropdown below). If unchecked, passwords that do not meet the Minimum Strength setting are not rejected but the password-strength indicator displays the strength of the password.
Minimum Strength	Accept the default setting (Moderate) or click the dropdown to select a required "minimum strength" for new passwords. Refer to the Enforce Minimum Strength setting (above) for how this setting affects passwords that do not meet this minimum.
User Inputs	Specify any words/terms that would lower the "score" of a new password and which should not be incorporated. For example, you could specify account-specific terms (e.g., your site name or company name) that you prefer users not include for security reasons. Use of these terms is not grounds for a password being rejected.
Show Password Strength Indicator	Check the box to have the password-strength indicator display below the New Password field. This gives users immediate feedback on the strength of their new password, so they can modify to meet the requirements and recommendations. Uncheck the box to not display the indicator.
Test Password Strength Indicator	Admins can type a test password to preview the colored bar and the on-hover assessment of the password (Very Weak through Very Strong). This displays under the New Password field to users if Show Password Strength Indicator is enabled (as shown above). Very Weak password; only three characters specified Strong password; character- and length-minimums met For information on how this field works, refer to How passwords are validated, below.

2. When you have completed the configuration, click Save Settings.

The password-strength validation that you have configured is now active across your community site.

How passwords are validated

Higher Logic uses an industry-standard security feature for password validation. The:

• the New Password field and
• the Test Password Strength Indicator field on the configuration page

...are linked to a secure library that rates (i.e., scores) the strength of passwords.

The scoring system is based on the following scale of 0 – 4. The Higher Logic Value column is what the score translates to in your community settings.

Related articles

• Manage your Password Policy walks through how to set up a basic password policy for your site. It is those settings that allow you to configure and incorporate an effective password-strength validation in your Higher Logic community site.
• Troubleshooting - Password Resetting offers troubleshooting tips encounter the following issues when managing passwords for their community users.