| Summary: DocuShare password policy settings are configured from the Account Policies page in the Admin UI. This page controls password expiration, password content requirements, and the failed login behavior that can lock internal accounts after repeated unsuccessful sign-in attempts. |
Before You Begin
- Sign in with a DocuShare account that has permission to open Administration and change site-wide settings.
- Review whether your site uses internal DocuShare accounts, external directory accounts, or a mix of both.
- Plan changes during a maintenance window if your organization wants to notify users about upcoming password requirement changes.
| Important: The failed login lockout policy on this page applies only to internal users. If your site relies on external domains such as LDAP or Active Directory, those systems may enforce their own password and lockout rules separately. |
Where to Find the Password Policy Page
- Sign in to DocuShare as an administrator.
- Open Administration.
- Go to Site Management.
- Select Account Policies.
| Admin UI path: Administration > Site Management > Account Policies |
The Account Policies page is the central location for password expiration, password complexity requirements listed by DocuShare as Password Content rules, automatic logout behavior, and failed login lockout settings.
Password Expiration Settings
The Password Expiration section controls how long passwords remain valid and whether users must change them in specific situations.
| Setting | What it does |
| All passwords expire within specified days after creation | Sets the number of days a password remains valid before the user must create a new one. |
| Password change at first login | Requires users with newly created accounts to change their password the first time they sign in. |
| Password change after reset by administrator | Requires users to create a new password after an administrator resets their existing password. |
- Use a defined expiration period when your organization requires periodic password rotation.
- Enable first-login password change when administrators assign temporary passwords to new users.
- Enable change after administrator reset if help desk staff regularly issue temporary replacement passwords.
Password Content Rules
The Password Content rules section defines what a new password must contain before DocuShare accepts it. In this context, content rules means password composition rules, not document or repository content rules.
| Rule | Guidance |
| Minimum number of characters required | Sets the minimum password length. Increase this value to require longer passwords. |
| Alphabetic characters required? | Requires at least one letter in the password. |
| Numeric characters required? | Requires at least one number in the password. |
| Mixed-case characters required? | Requires at least one uppercase and one lowercase letter. |
| Punctuation characters required? | Requires at least one punctuation or special character. |
| Cannot include name | Prevents use of the username, first name, or last name, including forward or backward forms. |
| Cannot reuse previous password | Prevents a user from changing back to the same password they used before. |
| Practical approach: A common baseline is to combine a higher minimum length with alphabetic, numeric, mixed-case, and punctuation requirements. This usually strengthens passwords without making the policy difficult to explain to end users. |
Recommended Configuration Workflow
- Open the Account Policies page and review the current settings before making changes.
- Set the password expiration value that matches your organization policy.
- Enable the password content rules your organization requires, such as minimum length, numbers, mixed case, and punctuation.
- Decide whether users must change passwords at first login and after an administrator reset.
- Review the failed login lockout value for internal accounts.
- Save the changes and test with a non-administrative internal account before rolling the policy out broadly.
How to Validate the Policy
- Create or reset a test internal user account.
- Attempt to set a password that should fail, such as one that is too short or missing a required character type.
- Confirm that DocuShare rejects the password and prompts for a compliant one.
- Set a password that meets the configured rules and confirm it is accepted.
- If you enabled first-login password change or administrator-reset password change, verify that the user is prompted accordingly after sign-in.
Failed Login Policy on the Same Page
Account Policies also includes a Failed Login Policy setting labeled Lock account after failed login. This controls how many unsuccessful login attempts are allowed before an internal user account is locked.
If an internal user becomes locked out, the administrator can free the account by assigning a new password or by increasing the number of allowed login tries, depending on the site configuration and operating practice.
| Scope note: Failed login lockout on the Account Policies page does not replace directory lockout rules that come from an external identity provider. |
Troubleshooting
| Symptom | Next check |
| Users say a valid password is rejected | Review whether mixed-case, punctuation, numeric, and no-name rules are all enabled at the same time. One missing requirement is enough for the change to fail. |
| Users are prompted to change passwords sooner than expected | Confirm the expiration value in days and whether the account was created or reset recently. |
| An internal user account is locked | Review the failed login threshold and reset the user password if needed. |
| External directory users do not follow the same rules | Confirm whether password policy is being enforced by LDAP, Active Directory, or another external identity system instead of DocuShare. |