User-generated passwords are required to be at least 8 characters in length.
Users can create passwords up to 256 characters in length.
All ASCII/Unicode characters are allowed, including emojis and spaces.
Stored passwords are hashed and salted, and never truncated.
Prospective passwords are compared against password breach databases and rejected if there’s a match.
Passwords do not expire.
Users are allowed 10 failed password attempts before being locked out of a system or service.
Passwords do not have hints.
Complexity requirements — like requiring special characters, numbers or uppercase letters — are not required.
You probably notice that some of these recommendations represent a departure from previous assumptions and standards.
For example, NIST has removed complexity requirements like special characters in passwords; this change was made in part because users find ways to circumvent stringent complexity requirements.
Instead of struggling to remember complex passwords and risking getting locked out, they may write their passwords down and leave them near physical computers or servers.
Or they simply recycle old passwords based on dictionary words by making minimal changes during password creation, such as incrementing a number at the end.
For portal users if the wrong credentials are provided they will be locked out and eventually banned.
Please see the amount of attempts and time duration below.
First 2 failed attempts have no built in delay
3 attempts, 1 minute lockout.
4 attempts, 2 minute lockout.
5 attempts, 3 minute lockout
6 attempts, 4 minute lockout
7 attempts, 5 minute lockout
8 attempts, 6 minute lockout
9 attempts, 7 minute lockout
10 attempts, the user will receive an error message “Too many failed login attempts. Account Disabled”.
The user is then banned from access, an instance administrator can unban the user or let the ban time run out.