About password validation rules

The Password Validation rule set determines whether a password that has been entered into the system is valid according to specific rules. The following password validation rules are available.

Warning: By default, these rules are configured to meet UKG's minimum product security standards. If your organization's rules exceed these standards, your organization's rules will take precedence.

  • Dictionary Words. Determines password attributes such as the types of characters and whether it must be a non-word.

  • Maximum Length. Enforces a limit on the maximum number of characters in a password.

  • Minimum Character Change. Determines how many characters must be changed when the employee resets their password.

  • Minimum Length. Determines the minimum length of a password.

  • Minimum Password Age. Enforces a minimum age before a password may be changed.

  • Non User ID. Prevents the password from containing the User ID or its reverse.

  • Repetitive Characters. Determines how many consecutive times the same character can be included.

  • Reuse of Passwords. Establishes when and if passwords can be reused.

Some password validation rule parameters specify security access level values. Depending on the rule, different values may be specified for Low, Medium and High access levels. For details on access levels, refer to About access levels.

To view a password validation rule, refer to Viewing password rules below.

Dictionary Words page contents

This rule specifies the attributes that allow or disallow certain types of alphanumeric characters, whether the password must be a non-word, and whether it should include upper and lower case letters or special characters.

  • Name. The name of the rule.

  • ID. The unique ID that is assigned to the rule.

  • Implementation Class. The category that the rule is assigned to.

  • Description. The description of the rule.

  • Require Alpha. Whether the password must include alphabetic characters. Depending on the role's access level, the default may vary.

    • Low. By default, this option is disabled for the Low access level. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. By default, this option is enabled for the Medium access level. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. By default, this option is enabled for the High access level. For details on which roles are assigned to the High access level, refer to About access levels.

  • Require Lower. Whether the password must include lowercase alphabetic characters. Depending on the role's access level, the default may vary.

    • Low. By default, this option is disabled for the Low access level. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. By default, this option is enabled for the Medium access level. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. By default, this option is enabled for the High access level. For details on which roles are assigned to the High access level, refer to About access levels.

  • Require Non-Words. Whether the password must include non-words. Depending on the role's access level, the default may vary.

    • Low. By default, this option is enabled for the Low access level. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. By default, this option is enabled for the Medium access level. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. By default, this option is enabled for the High access level. For details on which roles are assigned to the High access level, refer to About access levels.

  • Require Number. Whether the password must include a number. Depending on the role's access level, the default may vary.

    • Low. By default, this option is enabled for the Low access level. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. By default, this option is enabled for the Medium access level. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. By default, this option is enabled for the High access level. For details on which roles are assigned to the High access level, refer to About access levels.

  • Require Special. Whether the password must include a special character. Depending on the role's access level, the default may vary.

    • Low. By default, this option is disabled for the Low access level. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. By default, this option is disabled for the Medium access level. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. By default, this option is disabled for the High access level. For details on which roles are assigned to the High access level, refer to About access levels.

  • Require Upper. Whether the password must include an uppercase alphabetic character. Depending on the role's access level, the default may vary.

    • Low. By default, this option is enabled for the Low access level. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. By default, this option is enabled for the Medium access level. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. By default, this option is enabled for the High access level. For details on which roles are assigned to the High access level, refer to About access levels.

  • Enabled. Whether the rule is enabled or disabled. The default is Yes.

Maximum Length page contents

This rule enforces a limit on the maximum number of characters in a password.

  • Name. The name of the rule.

  • ID. The unique ID that is assigned to the rule.

  • Implementation Class. The category that the rule is assigned to.

  • Description. The description of the rule.

  • Max Length. Determines the maximum length of the password. Depending on the role's access level, the default may vary.

    • Low. The default is 64 characters. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. The default is 64 characters. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. The default is 64 characters. For details on which roles are assigned to the High access level, refer to About access levels.

  • Enabled. Whether the rule is enabled or disabled. The default is Yes.

Minimum Character Change page contents

This rule enforces a minimum number of characters that must be changed when the employee resets their password. The default is 5 characters.

Minimum Length page contents

This rule enforces a minimum password length.

  • Name. The name of the rule.

  • ID. The unique ID that is assigned to the rule.

  • Implementation Class. The category that the rule is assigned to.

  • Description. The description of the rule.

  • Min. Length. Determines the minimum length of the password. Depending on the role's access level, the default may vary.

    • Low. The default is 15 characters. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. The default is 20 characters. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. The default is 20 characters. For details on which roles are assigned to the High access level, refer to About access levels.

  • Enabled. Whether the rule is enabled or disabled. The default is Yes.

Minimum Password Age page contents

This rule enforces a minimum age that must be met before a password may be changed.

Note: This rule is only enforced if a user changes their own password; the rule is not enforced if the password was changed by a higher role, an import job, or the bi-directional import job.

  • Name. The name of the rule.

  • ID. The unique ID that is assigned to the rule.

  • Implementation Class. The category that the rule is assigned to.

  • Description. The description of the rule.

  • Minimum Days. Determines how old a password must be before a change is allowed. This rule is only enforced if a user changes their own password; the rule is not enforced if the password was changed by a higher role, an import job, or the bi-directional import job.

    • Low. The default is 1 day. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. The default is 1 day. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. The default is 1 day. For details on which roles are assigned to the High access level, refer to About access levels.

  • Enabled. Whether the rule is enabled or disabled. The default is Yes.

Non User ID page contents

This rule specifies the conditions that allow or disallow using the User ID or its reverse in the password. By default, the rule is disabled.

Repetitive Characters

This rule specifies how many consecutive repeating characters can be included in the password. For example, if the maximum is 3, this example would trigger an alert: 1111Password

The message states "ALERT: Password may not have more than three consecutive repeating characters."

  • Name. The name of the rule.

  • ID. The unique ID that is assigned to the rule.

  • Implementation Class. The category that the rule is assigned to.

  • Description. The description of the rule.

  • Max Repetitive Characters. Determines how many times the same character can be consecutively repeated in the password. Depending on the role's access level, the default may vary.

    • Low. The default is 3 characters. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. The default is 3 characters. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. The default is 3 characters. For details on which roles are assigned to the High access level, refer to About access levels.

  • Enabled. Whether the rule is enabled or disabled. The default is Yes.

Reuse of Passwords page contents

This rule specifies the conditions that allow or disallow reusing a password.

  • Name. The name of the rule.

  • ID. The unique ID that is assigned to the rule.

  • Implementation Class. The category that the rule is assigned to.

  • Description. The description of the rule.

  • Allow reuse after # changes. Determines how many times the user must change a password before they can use the same password again. Depending on the role's access level, the default may vary.

    • Low. The default is 24 days. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. The default is 24 days. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. The default is 24 days. For details on which roles are assigned to the High access level, refer to About access levels.

  • Allow reuse after # days. Determines how many days must pass before the password can be used again. Depending on the role's access level, the default may vary.

    • Low. By default, this option is disabled for the Low access level. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. By default, this option is disabled for the Medium access level. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. By default, this option is disabled for the High access level. For details on which roles are assigned to the High access level, refer to About access levels.

  • Never Reuse. Determines whether a password can be reused. Depending on the role's access level, the default may vary.

    • Low. By default, this option is disabled for the Low access level. For details on which roles are assigned to the Low access level, refer to About access levels.

    • Medium. By default, this option is disabled for the Medium access level. For details on which roles are assigned to the Medium access level, refer to About access levels.

    • High. By default, this option is disabled for the High access level. For details on which roles are assigned to the High access level, refer to About access levels.

  • Enabled. Whether the rule is enabled or disabled. The default is Yes.

Viewing password rules

To view a password rule, take these steps:

  1. Click Common Set Up > Rule Management on the main menu. The Rule Management page opens.

  2. Click the Password Validation link. The page opens and the Rules for Password Validation Rule Set table displays.

  3. Click the Name link on the row that identifies the password rule. The page opens.

Related Topics

About access levels

About rule set management

Password requirements