Password Policy

Passwords used to log in to the XMP must meet the following minimum requirements:

• Must contain at least eight (8) characters and a maximum of (30) characters.

• Must contain below conditions:

  • 1 lower-case letter (a-z)

  • 1 upper case letter (A-Z)

  • 1 Numeric Value 0-9)

  • At least 1 Special Character (e.g. @#$%^&*()_+|~-=\`{}[]:";'<>/ etc.)

  • It should not be the same as First Name & Last Name.

  • The usage of login ID(Email ID) when creating a password for an account or profile is restricted.

  • Users will be able to use a mix of Email ID and other characters as a password, but email ID characters should not be in continuation. If jumbled with other characters, it is acceptable, not in continuation.

    Example - If the email ID is prannay@experience.com then,

    Accepted Password = prannay123@1@experience.com or pr3annay5@A477experience.com

    Rejected Password = 123prannay@experience.com or prannay@experience.com7654 or 11prannay@experience.com34@

  • The maximum character limit in creating a password is 30.

  • Backend Specific - It should not be transmitted or stored in a clear text format.

• The user should not be able to reuse the last five passwords while changing or resetting them. This scrutiny will apply to both the Update Password and Forgot Password features.

• All Reset password link's expiration limit is 24 hours. Afterward, if the user clicks on the link, a new password link request screen will displayed to the user. Refer to the image below:-

• If a user successfully reset a password using a link, then the same link should NOT be used repeatedly.

• Only active users should be allowed to request password reset links.

• Account Lockout Feature - If a user is not able to recall his/her password & enters an incorrect password consecutively in 5 attempts, then the respective profile is automatically locked and can only be unlocked using the Reset Password link sent to the particular user’s registered Email Address.

  • This feature applies to all the users of http://Experience.com

  • The password reset link will expire in 24 hours if the user does not use it.

  • If the user clicks on the reset password link after 24 hours, then an error message & new password link request option will be displayed to the user. Users can only open the account by acting upon the above requests accordingly.

• Please note that all of the above features are not applicable in the case of SSO or Okta login.

• There are no specific MFA(Multi-factor Authentication) policies we have implemented in our login process as of now. But as part of planned security enhancements, we are some of them in-lined in the future.

• Passwords, credentials, and anything classified as secret data should not be written down, captured as images or video, or shared in plaintext either verbally or via any messaging platforms including messaging platforms approved for corporate use.