If any of your users sign in to Empuls with a password (rather than through SSO), you can enforce a password policy that meets your organization’s security requirements: minimum length, character classes, expiry, and history (preventing reuse). The policy applies to every direct-login account on the tenant. SSO users authenticate at their identity provider and aren’t covered by Empuls’s password policy. Configure password policy from Admin Hub → Platform Settings → Security → Password Policy (it’s a sub-page of security settings).Documentation Index
Fetch the complete documentation index at: https://empuls.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Before you start
- You must be a Super Admin.
- If SSO is your only login method, only admin fallback accounts use passwords — keep policy strict for those.
- Stricter policies can cause users to forget passwords more often; pair tighter policy with magic link / OTP so users have a passwordless fallback.
What you can configure
| Setting | What it controls |
|---|---|
| Minimum length | Smallest acceptable password (default 8; recommend 12+) |
| Require uppercase letter | At least one A-Z |
| Require lowercase letter | At least one a-z |
| Require digit | At least one 0-9 |
| Require special character | At least one of !@#$%^&*()_+-=... |
| Password expiry | Days before users must change passwords (default 90; off disables expiry) |
| Password history | Last N passwords that can’t be reused (default 5; recommended 12) |
| Force reset on first login | New accounts must set a new password before doing anything |
| Lockout after failed attempts | See security settings for lockout config |
Configure password policy
Open Password Policy
From the Security page in Platform Settings, click into the Password Policy card.
Toggle complexity requirements
Enable uppercase, lowercase, digit, and special character requirements as needed.
Set expiry
Pick a number of days. Common: 90 days for regulated industries, off for orgs relying on SSO.
Set history
Pick how many recent passwords to block from reuse. Default 5 is fine; 12 if your auditors require it.
What users see
When a user changes their password (voluntarily or at expiry), Empuls shows the active policy on the change form so they know what’s required. If they enter a password that doesn’t meet the policy, the form shows which rules are unmet (e.g., “Password must include a special character”) before submitting.Expired passwords
When a user’s password reaches the expiry threshold:- They see a banner on their next sign-in: “Your password expires in N days.”
- On the day of expiry, the next sign-in forces a password change.
- Until they change it, they can’t access Empuls.
Limits and gotchas
- The policy only applies to direct logins. SSO-authenticated users are not subject to it.
- Increasing policy strictness retroactively (e.g., raising minimum length from 8 to 12) doesn’t invalidate existing passwords — they keep working until next change.
- History applies forward only. If you enable history with N=12, the next 12 changes start tracking; previous passwords aren’t retroactively blocklisted.
- Empuls cannot recover lost passwords. Users without MFA or recovery email need an admin reset.
Related
- Security settings — Other security controls (MFA, sessions, IP allowlist).
- SSO overview — Federation that supersedes password policy.
- OTP and magic link — Passwordless fallback.
- Session management — Configure session timeouts alongside password rules.