Skip to main content
If any of your users sign in to Empuls with a password (rather than through SSO), you can enforce a password policy that meets your organization’s security requirements: minimum length, character classes, expiry, and history (preventing reuse). The policy applies to every direct-login account on the tenant. SSO users authenticate at their identity provider and aren’t covered by Empuls’s password policy. Configure password policy from Admin Hub → Platform Settings → Security → Password Policy (it’s a sub-page of security settings).

Before you start

  • You must be a Super Admin.
  • If SSO is your only login method, only admin fallback accounts use passwords — keep policy strict for those.
  • Stricter policies can cause users to forget passwords more often; pair tighter policy with magic link / OTP so users have a passwordless fallback.

What you can configure

SettingWhat it controls
Minimum lengthSmallest acceptable password (default 8; recommend 12+)
Require uppercase letterAt least one A-Z
Require lowercase letterAt least one a-z
Require digitAt least one 0-9
Require special characterAt least one of !@#$%^&*()_+-=...
Password expiryDays before users must change passwords (default 90; off disables expiry)
Password historyLast N passwords that can’t be reused (default 5; recommended 12)
Force reset on first loginNew accounts must set a new password before doing anything
Lockout after failed attemptsSee security settings for lockout config

Configure password policy

1

Open Password Policy

From the Security page in Platform Settings, click into the Password Policy card.
2

Set minimum length

Recommended: 12 characters for general use, 16+ for sensitive orgs.
3

Toggle complexity requirements

Enable uppercase, lowercase, digit, and special character requirements as needed.
4

Set expiry

Pick a number of days. Common: 90 days for regulated industries, off for orgs relying on SSO.
5

Set history

Pick how many recent passwords to block from reuse. Default 5 is fine; 12 if your auditors require it.
6

Save

The policy applies on the next password change. Existing passwords remain valid until expiry (if expiry is enabled).

What users see

When a user changes their password (voluntarily or at expiry), Empuls shows the active policy on the change form so they know what’s required. If they enter a password that doesn’t meet the policy, the form shows which rules are unmet (e.g., “Password must include a special character”) before submitting.

Expired passwords

When a user’s password reaches the expiry threshold:
  1. They see a banner on their next sign-in: “Your password expires in N days.”
  2. On the day of expiry, the next sign-in forces a password change.
  3. Until they change it, they can’t access Empuls.
You can manually expire a specific user’s password from their record on the Manage employees page (Action menu → Force password reset).

Limits and gotchas

  • The policy only applies to direct logins. SSO-authenticated users are not subject to it.
  • Increasing policy strictness retroactively (e.g., raising minimum length from 8 to 12) doesn’t invalidate existing passwords — they keep working until next change.
  • History applies forward only. If you enable history with N=12, the next 12 changes start tracking; previous passwords aren’t retroactively blocklisted.
  • Empuls cannot recover lost passwords. Users without MFA or recovery email need an admin reset.

Security settings

Other security controls (MFA, sessions, IP allowlist).

SSO overview

Federation that supersedes password policy.

OTP and magic link

Passwordless fallback.

Session management

Configure session timeouts alongside password rules.