Understanding and Configuring Password Policies in PeakCommerce
Overview: PeakCommerce uses Auth0 as the core technology for managing authentication and password security. As a result, all password policies within our platform are configured through Auth0’s robust security mechanisms. While the password policy can be tailored during the implementation process, customers do not have direct access to modify these settings unless they bring their own Identity Provider (IdP) to integrate with the platform.
This article explains the basics of Auth0 password policies and how PeakCommerce collaborates with customers to set them up.
What is a Password Policy?
A password policy is a set of rules that determine the minimum requirements for creating a secure password. This includes factors like password length, complexity (such as the inclusion of numbers or special characters), and expiration timeframes. The goal of these policies is to enhance the security of user accounts by ensuring strong password creation and management practices.
At PeakCommerce, password policies are set using Auth0, our chosen platform for authentication and user management.
How Password Policies Are Managed at PeakCommerce
During the implementation phase of your PeakCommerce solution, our team works with your organization to configure a password policy that meets your specific security requirements. You do not have direct access to these settings within the PeakCommerce platform unless you bring your own IdP (Identity Provider) as part of the setup.
However, by default, we offer a range of policy configurations using Auth0’s predefined policies or custom options to fit your needs.
Password Policy Options Available with Auth0
Auth0 provides several levels of password policies, which can be customized further based on your requirements:
Predefined Policies:
None: No password restrictions.
Low: Minimum length of 8 characters.
Fair: Minimum 8 characters, requires at least one uppercase letter, one lowercase letter, and one digit.
Good: Minimum 8 characters, requires at least one uppercase letter, one lowercase letter, one digit, and special characters (!@#$%^&*).
Excellent: Minimum 8 characters, requires at least one uppercase letter, one lowercase letter, one digit, special characters (!@#$%^&*), and no more than 2 identical characters in a row.
Custom Policies: If a more tailored password policy is required, Auth0 offers custom policies that allow for stricter password controls, including:
Minimum password length (e.g., 10+ characters).
Required character types (e.g., uppercase, lowercase, numbers, symbols).
Password history enforcement (to prevent users from reusing old passwords).
Password expiration periods (requiring periodic password updates).
Password dictionary (to prevent commonly known passwords)
Personal data (to exclude users personal data user's name, username, nickname, phone_number, user_metadata.name, user_metadata.first,user_metadata.last. The user's email or the first part of it, firstpart@email.com will also be checked)
These customizations are available as part of the onboarding process, and our team will help implement the best practice settings according to your organization’s security needs.
Password Policy Management for Customers with Their Own IdP
If your organization is using its own Identity Provider (IdP) to manage authentication, you will retain control over the password policies. In this case, you can configure your own settings through your IdP, and PeakCommerce will integrate the chosen provider with our system. This allows full customization of password policies within the framework of your IdP’s capabilities.
Working with PeakCommerce to Set Your Password Policy
To ensure the highest level of security, PeakCommerce recommends establishing a Fair or Custom Policy based on your organization’s needs. Our implementation team will collaborate with you to:
Determine the appropriate level of password complexity for your users.
Configure your policy within the Auth0 system or integrate your IdP, if applicable.
Test and validate the policy before going live.
Key Takeaways:
Password management in PeakCommerce is handled through Auth0, which provides both predefined and customizable policies.
Customers work with PeakCommerce during implementation to set their password policy.
Direct access to password management settings is not available unless an external IdP is integrated.
For further questions or to update your password policy, please contact your Customer Success Manager.