For your online security, it is essential to have a strong password policy. In this article, we explain how you can view the password policy for your Spend Cloud environment and share our recommendations for a secure password policy. These settings are especially relevant when Single Sign-On (SSO) is not used, or not all users log in via SSO.
Where to Find the Password Policy for Your Spend Cloud Environment
You can find the password policy within the
configuration settings. These can be accessed through Application Management / Config Settings /
General in the menu.
If you do not have access to this section, enable it within the
rights associated with your role or ask an administrator in your organization to do so. Here, you can view the settings, modify them if needed, and take a screenshot to provide to your accountant. Below, we explain the different settings and our recommendations.
090 - Requesting a Password
If this setting is enabled, users can request a new password, which will be sent to them via email.
Recommendation: Always keep this setting enabled so users can retrieve a new password when logging in for the first time or if they forget their current password.
007 - Changing Passwords
If this setting is enabled, users can change their password in their profile settings.
Recommendation: Always keep this setting enabled so users can change their password at any time.
008 - Changing Password After First Login
With this setting, users must change their password immediately after their first login.
Recommendation: Always keep this setting enabled so users create their own password instead of continuing to use a temporary, weak password.
009, 244, 245, 246 - Password Complexity Requirements
When enabled, passwords must include letters (at least one uppercase), numbers, and special characters. Additionally, users cannot include their first name, last name, or username in their password.
Recommendation: Always keep these settings enabled to enforce a strong and complex password policy.
010 - Minimum Password Length
This setting defines the minimum number of characters a password must have.
Recommendation: Require at least 12 characters for passwords. The longer the password, the harder it is to guess.
011 & 012 - Password Expiration
Here, you can specify whether users must change their password after a certain period.
Recommendation: Require users to change their password at least every 180 days.
167 - Incorrect Password Attempts
This setting determines how many times users can enter an incorrect password before being temporarily locked out.
Recommendation: Allow a maximum of five attempts before locking the account temporarily. This prevents unlimited login attempts with incorrect passwords.
176 - Reusing Old Passwords
This setting determines how many password changes must occur before a user can reuse an old password.
Recommendation: Prevent users from reusing a password for at least five changes—but the higher the number, the better.