Manage365 Docs

Password policy

Every MSP can configure a password policy applied to its own MSP-staff accounts: login, self-service reset, and admin-driven reset all run through the same validator.

What's configurable

  • Minimum length — 8 to 128. ACSC recommends 14+ for admin-capable accounts. Defaults to 12.
  • Character requirements — uppercase, lowercase, digit, symbol. Defaults enable upper/lower/digit; symbol is off by default (research consistently shows length beats complexity for password strength).
  • Block common passwords — rejects obvious passwords from leaked credential sets (Password123, Welcome1, Summer2026, etc.). Curated list of ~90 entries — catches the worst offenders without an external service dependency.

Enforcement surfaces

The same validator runs at every password-set site:

  • Change password (logged-in user changes own password) — validated before hashing.
  • Password reset (forgot-password flow) — validated when the reset link is used.

Admin-created temp passwords are generated by crypto.randomBytes with a high-entropy alphabet and are not re-validated — they're already stronger than any human policy would reject.

Policy change behaviour

Tightening the policy does not invalidate existing passwords. Enforcement applies on the next change. This avoids locking everyone out at once — but it also means you should pair a meaningful tightening with an out-of-band instruction asking staff to rotate at their next login.

Where to find it

/settings/security in the MSP portal. Requires settings:update — MSP Owner and MSP Admin roles have this by default.

What Manage365 does not do (yet)

  • Password history / reuse prevention. Not implemented — would require storing recent password hashes.
  • Forced rotation. Not implemented. NIST SP 800-63B actively discourages scheduled rotation without breach evidence.
  • HIBP Pwned Passwords check. Not plumbed in — the block list catches the obvious stuff and HIBP's API needs careful rate-limit management to be pleasant at login time.

MFA is mandatory for every MSP staff account and cannot be disabled. The password policy is defence-in-depth behind it.