iMocha's Password Policy

Know the available options for configuring the password policy that can be enabled across all iMocha’s products, i.e., Talent Acquisition, Talent Development, including Talent admin and Talent Portal.

iMocha provides services to various corporates, aiding them in evaluating their existing employees and recruiting prospective ones. Recognizing the utmost importance of privacy and security, iMocha has established this password policy to provide guidelines and procedures for creating, managing, and safeguarding passwords. The policy ensures the safety and integrity of iMocha's information systems and data. 

Purpose 

This document aims to establish and enforce a comprehensive password policy specifically tailored to iMocha. The policy ensures strict adherence to the organization's overall security standards and creates a secure user authentication and data protection environment. By implementing this policy, we aim to enhance the overall security posture, mitigate risks of unauthorized access, and safeguard sensitive information associated with the products. 

Scope 

This policy applies to all employees and authorized users accessing iMocha's Products. 

Password Policy Options 

The table provides an overview of the options for configuring the password policy, which can be enabled across all iMocha’s products, i.e., Talent Acquisition, Talent Development including Talent admin, and Talent Portal upon request. 

Password Policy Option 

Description 

Default value 

Mandatory periodic password change policy. 

Specifies the number of days for which a password remains valid. After this period, users must reset their passwords. By default, users whose passwords expire must follow the Forgot Password process. 

90 

Days Before Password Expiry Warning 

Specifies when to notify the user that a password is about to expire. This value must be equal to or less than the value of the mandatory period for the password change option. By default, users are prompted to sign in and change their passwords. 

10 

Hours Before Password Reset Token Expiration 

When users request a password reset, they are sent a password reset link. This policy specifies how long a reset password link remains active. If the link expires before the password is reset, then reset must be requested again. You can enter any value between 1 and 9999. 

Account lockout after repeated failed login attempts. 

The account is locked temporarily after a predetermined number of unsuccessful attempts for a predetermined amount of time. This option specifies the number of unsuccessful attempts and the time. 

5 attempts and 5 minutes 

The administrator can manually reset the password. 

The IT Security Manager can either generate or reset passwords automatically or manually.  

Select this option to allow user passwords to be reset manually. All passwords must satisfy the current complexity rule, whether reset manually or generated automatically. 

Yes 

Initial password change after first login. 

Users must change their default password upon their first login to enhance security. This option is limited to the users of talentadmin.imocha.io and app.imocha.io; for the users of talent.imocha.io, the passwords are generated by default. 

Yes 

Minimum password length.  

Specifies a minimum password length to ensure the password meets the organization's security standards. 

10 

Password complexity 

Specifies whether passwords must be simple, complex, or very complex. Password validation rules identify passwords that fail the selected complexity test. 

The following password complexity types are available: 

  • Simple: Must contain at least eight characters, and 1 number. This is the default complexity type. 
  • Complex: Must contain at least eight characters, one uppercase, and 1 number. 
  • Very Complex: Must contain at least eight characters, one uppercase, 1 number, and one special character. 
  • Custom: Provides the flexibility to specify a combination of parameters to define a custom password. By default, the parameters are populated with a predefined set of values to get you started. 

Note: For more information about defining custom passwords, see the topic Configure a Custom Password Policy in the Related Topics section 

 

Simple 

Prevent the reuse of previous passwords. 

Select to ensure that the new password is different from the previous password. If the user requests a password reset, then this option determines if the reuse of the previous password is allowed or not. This option doesn't affect the reuse of passwords after expiry. 

coming soon in Q4 

Design Flow 
The Password Settings functions as shown below, to enable the desired options contact our support team. 

Mandatory periodic password change policy: 

The default “Enforce password change after” is 90 days. 

  1. A "Your password is about to expire!" pop-up message is displayed once a day on the landing screen whenever the user logs in to the account for the remaining ten days of password expiry, as per the account's policy. 
  2. A pop-up over the landing page with the message "Password expired!" with a link "Update password now" is displayed each time the user logs in. The "Update password now" button redirects users to the Change password page. 
  3. Once the password expires after pre-determined days, a warning message is displayed on the next login above the remember me check box on the login form, stating: "Your password has expired due to a security precaution. Please change your password. You can reset your password using the forgot password link." 
  4. This policy applies to all user roles and new users of client accounts with password settings set to "Enforce password change after…" if enabled.  

Account locks out after repeated failed login attempts: 

The default “Lock account after” is 5 failed attempts for 5 minutes

  1. A locked account remains inaccessible until either it is reset, or the specified duration set by the Account lockout duration policy elapses. 
  2. Deny login – this determines the number of attempts (default 5attempts) after which the user account is locked, as per the account’s policy. 
  3. After 5 consecutive unsuccessful attempts to login to the products of iMocha,  the “Invalid Id or password.” message is displayed on the login page with a warning icon. 
  4. If the user tries to log in again before the 5 minutes are complete, the same message is displayed again on clicking the login button. 
  5. Unlock time – sets the time (300 seconds = 5 minutes) for which the account should remain locked, as per account’s policy. 
  6. Once the 5 minutes time have elapsed, and the user tries to log in with incorrect credentials, the regular validation messages are displayed until 5 consecutive invalid attempts occur, at which point the account is locked 5 minutes. The same cycle repeats until successful login or password reset. 
  7. This policy applies to all user roles and new users of client accounts with password settings set to “Enforce password change after…” if enabled.  

Initial password change after first login: 

  1. When new user logs in for the first time, they are redirected to the change password page under My Settings. 
  2. A “This account is using the default password; it is strongly recommended that you change your password” pop-up message is displayed. 
  3. The menu bar and the settings option are disabled until the password is changed and saved. After a successful save, the menu bar and the settings option are enabled and displayed. A confirmation email for successful password change is sent to the user. 
  4. This option does not apply to the users of talent.imocha.io, since the passwords are generated by default for the Talent portal. 
  5. This policy applies to all user roles & new users of client accounts with password settings set to “Enforce password change for first login” if enabled. 

Enforce password history:

iMocha ensures validation on change password settings, specifically that the new password is not same as the last password.  

Resets password and Change password: 

The reset password and change password have the following validations: 

  1. Strong password: Minimum password length increased to 10 characters. 
  2. The new password must meet the following criteria:  
    1. Be at least ten characters long 

    2. Contain one or more numbers 

    3. Contains a mix of one or more uppercase and lowercase letters 

    4. Include at least one of the special characters (!@#$%^&*) 

  3. The new password must not be same as the current password. 
  4. Validation for New password and confirm password must be same.  

Forgot Password: 

  1. The user receives a reset password link on entering the email address. 
  2. If the user does not access the reset link sent to their email within 24 hours, it expires. 
  3. If the user clicks the reset link after 24 hours, they are redirected to the reset-password blank page, and the message "Your password reset link is no longer valid. Request a new password reset link." is displayed. 
  4. If the user clicks the "new password reset" link, they are redirected to the forgot password page. 
  5. After a successful reset within 24 hours, if the user accesses the reset link from the email again, it displays the message "Your password is reset successfully. You can now login" on the blank page. 
  6. A confirmation email for a successful password reset is sent to the user. 

Success Criteria 

iMocha ensures all the security measures and compliance with vulnerability checks for the “Strong password policy” as done for the ongoing and upcoming RFPs by the sales team. 

Contact 

If you have any questions, comments, or requests concerning this Password Policy, please feel free to reach out to us at the following contact information: 

Email: support@imocha.io