Password Rules

Overview

We modified our new password rules to follow National Institute of Standards and Technology (NIST) guidelines. NIST is a non-regulatory federal agency whose mission is to promote U.S. innovation and industrial competitiveness in ways that enhance security and improve quality of life.

Changes

  • Removal of the routine expiration of passwords
    • Multiple studies have indicated that the common practice of requiring users to change their passwords on a set schedule are actually detrimental to password security. With this in mind, passwords used to access Bullhorn Bullhorn Time & Expense tools will no longer expire.
  • Simplification to complexity requirements
    • There will no longer be any requirements for a password. Like the frequent password changes, this has been shown to lead to worse passwords.
    • The only requirement is a length of 8 characters. However, a more complex password is highly encouraged, such as one that contains at least 1 of the following characteristics: uppercase character, lowercase character, special character, or number.
  • Screening of passwords
    • To ensure the security of user accounts, we will validate user created passwords against a database of commonly used or commonly breached passwords. If we find any issues, we will prompt the user to create a different password before saving anything.
  • Lockout
    • A user will be locked out from the system for 1 hour after 20 invalid attempts. To best protect the security of all accounts, this 1 hour lockout cannot be bypassed.