Password policy and requirements

Sage Intacct values security, and we impose a standard password policy for all companies to keep your data safe. Parts of our password policy can be customized in your Company information to meet the security requirements of your business.

Password policy

Our standard password policy rests on four pillars:

  1. Password quality: All passwords must contain at least one number, one lowercase letter, one uppercase letter, and one special character.

    For example, 1Rg*1LHd would be accepted as a strong password, but 5@io762! would be rejected as a weak password because it does not contain any uppercase letters. This setting is not customizable.

    Read these tips for creating strong and secure passwords.

  2. Password length: All passwords must be eight or more characters long. You can increase this number for more complex passwords, but you can never decrease the password length requirement.

  3. Password reset duration: All passwords must be reset at least once every 90 days. You can increase or decrease how often users must reset their passwords to meet your company's security standards, but the minimum requirement is once a year.

    An admin can override this option for specific users in their user information, but it should only be overridden for users with integrations or API applications that rely on an Intacct user ID and password for connectivity.

  4. Reuse of old passwords: Intacct automatically remembers the last three passwords for each user. This means that a user cannot use any of the last three passwords they created when they reset their password. You can increase the number of passwords remembered, but you can never decrease it.

Customize your password policy

In your company security settings, you can customize the password policy of your company to suit your business needs.

  1. Go to Company > Setup > Configuration > Company, then select the Security tab.
  2. On the Security tab, select Edit.
  3. Go the Password section, then change any of the following:
    Password field descriptions
    FieldDescription

    Reset password

    		Defines how long a password lasts before you must change it. Your options span from as sparingly as yearly to as often as weekly.
    An admin can override this option for specific users in their user information, but it should only be overridden for users with integrations or API applications that rely on an Intacct user ID and password for connectivity.

    Minimum length

    		Defines how long an accepted password must be. The minimum requirement is eight characters.

    Prevent reuse of passwords

    		Select the number of recent passwords that a user cannot reuse when they reset their password. The minimum requirement is that users cannot reuse the last three passwords.
  4. Select Save when you’re finished.

Login attempts

You also control what happens to users during failed login attempts and password reset attempts.

To set your login and reset attempt settings:

  1. In Maximum login attempts per day, choose the maximum number of login attempts allowed in a 24-hour period before the user is locked out. A successful login resets the failed attempt counter. This setting applies to all users.
    After Intacct locks out a user, only an administrator can unlock a user.
  2. For Maximum reset attempts per day, select the maximum number of reset attempts that can be tried by a user in a 24-hour period. You can set the number of reset attempts to between 1-10 attempts.
    When the number of attempts is exceeded for the period, only the administrator can reset the password until the period is over. Then, the user can try again.
  3. Set the Maximum number of verification attempts for a password reset.
    This is the maximum number of times the incorrect information can be entered in a password reset attempt. When the limit is reached, Intacct locks the account for 24 hours.
  4. Save your changes.