Skip to main content
Feedback

Password Policy settings

Use the Password Policy tab on the Settings page to manage password rules for accounts.

note

Custom password policy rules are available only to FedRAMP and SAML SSO administrators.

The account owner manages the password rules and can change an account's password requirements at any time. If an account owner changes an account's password policy, users of that account are prompted to change their password if their current password no longer complies.

When a user attempts to sign into an account with a stricter password policy, they are given the option to change their password. Users who opt to change their password are redirected to the User Information page, which lists the new password policy rules the user must fulfill. Users are signed out of all sessions and returned to the sign in page after changing their password on any session.

Password and User Lockout Policy

After six incorrect sign in attempts, the user is locked from the account. The account administrator receives an email indicating which user account is associated with the lockout. Once a user account is locked due to too many unsuccessful sign in attempts, it remains locked indefinitely until the user resets their password.

Incorrectly entering user name or password credentials, 2FA codes, or 2FA backup codes all count towards your invalid sign in attempts. The user lockout policy is not configurable.

Upon getting locked out, a user can reset their password anytime by clicking the Reset your password link on the platform's sign in screen. To reset their password, the user is prompted to enter the email address associated with their user account. An email is then sent to the user with a link to reset their password. The email link is valid for 30 minutes only.

SSO users are locked from the platform when they enter six invalid API token entries. In some cases, SSO users may be able to use the Reset your password link while other cases require the account administrator to unlock the SSO user on their behalf. For more detailed information about how SSO users are unlocked from the platform, see the topic Single sign-on.

Changing user passwords

Some rules for passwords are fixed by Boomi, while other rules are at the account owner’s discretion.

Minimum password policy rules

These rules are managed by account owners and required by Boomi. If the account owner changes their password rules, users will have to choose a password that complies with the following:

  • Passwords must have a minimum length of eight (8) characters.

  • Passwords cannot consist solely of a sequence (such as 12345678 or abcdefgh), a repeated character (such as 11111111 or aaaaaaaa), or a keyboard pattern (such as qwertyui). However, you can have a password that consists of a mixture of upper and lower case characters in a sequence.

  • Passwords cannot be common passwords, such as password, password123, changeme, administrator, etc.

If you received a system-generated password, you must change it the first time that you sign in.

For legacy users:

  • If the minimum length restriction was previously outside the range of 8-18, that value will be honored until the account owner explicitly sets the new policy within the 8-18 range. If a user changes their password, they will have to choose a password that fulfills the character minimum.

  • If a minimum length restriction was not previously set, a minimum length restriction of 8 characters will take affect.

Optional password policy rules

An account owner can set or edit any or all of the following additional password policies for an account:

  • (Required) Passwords must have a minimum length. The default is set to 8. To edit the rule, select a number from 8-18.

  • Passwords must not match any of the previous n passwords. Select a number from 1-120.

  • Users can reset passwords at maximum five times every 24 hours.

  • Passwords must expire. Select a number from 1-90 to define the period of time (in days) that a password can be used before a user is required to change it.

  • Passwords must contain characters from at least two, three, or four of these groups: uppercase, lowercase, numeric, and special characters. previously enforced a password policy of two of three groups: alpha, numeric, and special characters.

    If the password policy is set to contain three or more groups, users are prompted to change their password to comply with this policy the next time they attempt to sign in. The following examples show passwords that would or would not comply with a policy set with three groups:

    • password1- this password contains characters from lowercase and numeric groups, and fulfills only two of three groups. Therefore, this password would fail and requires a reset.
    • Password1- this password contains characters from uppercase, lowercase, and numeric groups. This password meets three group requirements, and therefore complies.

  • Passwords must not contain more than two consecutive sequences from the user ID.

  • Passwords must not include repeated sets of two or more characters in sequence, such as a12x12.

For additional information on which roles can set and edit user management policies, refer to User roles and privileges.

Unified Login

Boomi also provides a unified login across products, allowing you to use a single set of credentials to access any Boomi service, including Platform, Boomi Go, Marketplace, and Flow. With unified login, custom password policies are no longer supported. We continue to recommend that you set up two-factor authentication on your account for added security.

To learn more, refer to Understanding Unified Login.

On this Page