Password policies

In order for Fusion to be compliant with your organisation’s security policies, you can now configure a custom password policy which user’s must comply with.

Fusion’s default password policy has rules such as a minimum length of 8 characters, a mixture of uppercase, lowercase, numeric, and symbol characters to create secure passwords. However, some clients have a more strict password policy in play and require their users to create more stringent passwords.

Setting a password policy

If you wish to enable a password policy for your system, follow the below steps:

*To enable a password policy, your login must have the ‘Configure password policy’ permission. This is typically only available to logins with the Administrator role applied.

1. Once logged into Fusion Back Office, navigate to System settings > Logins.
2. Click the Password policy button from the top-right of the screen.
   
3. Click the Add policy button from the bottom-left corner of the Password polices window.
   
4. Configure as required:
   
   • Start date: The date from which the created policy will be enforced. (Required)
   • Minimum password length: Created passwords must be equal to or greater than this value. (Minimum 6)
   • Minimum lowercase characters: Created passwords must contains at least this many lowercase (a-z) characters. (Minimum 1)
   • Minimum uppercase characters: Created passwords must contains at least this many uppercase (A-Z) characters. (Minimum 1)
   • Minimum numeric characters: Created passwords must contains at least this many numeric (0-9) characters. (Set to 0 to turn off)
   • Minimum symbol characters: Created passwords must contains at least this many symbol (e.g. £$&*!%@) characters. (Set to 0 to turn off)
   • Login name check: The password must not contain this many sequential characters from the username. For example, if this is set to 5 and the username is ‘admin’, a password of ‘Admin@123’ would not be allowed but ‘Adm@123in’ would be ok. (Set to 0 to turn off)
   • Minimum password age (days): This setting stops the user from changing their password if the password is not at least this many days old. This is typically used when a policy does not allow a user to re-use any of the most recent (e.g. 5) passwords. Setting this value to 1 would stop a user changing their password more than once on the same day in an attempt to get back a password they were using previously. Admins can still set a password for the user manually during this period if required. (Set to 0 to turn off)
   • Maximum password age (days): After this many days have passed since the user set their password, they will be forced to change when next log in. This does not affect a user logging into the PoS using a PIN, card or fingerprint. (Maximum allowed is 365 days. Set to 0 to turn off)
   • Maximum number of previous passwords: When set, a user cannot use one of their last ‘x’ passwords. For example, setting this to 5 would mean that a user cannot use one of their 5 most recent passwords. (Maximum value is 12. Set to 0 to turn off)
5. You can test your created password policy on the right-hand side of the window. Once you are happy with the created policy press the Save button.
6. Press Done to complete the process.

*Things to note: Unless a password policy has been created, the existing password policy will continue to be used. After a policy has been created, any new passwords created on or after the start date must meet the rules specified. Any users logging in, on or after the start date of a policy, will be forced to change their password if it does not meet the new policy requirements.

Managing password policies

After a password policy has been configured, you may wish to create a new one, edit an existing one, or even remove one and return to the default password policy. These options are available within the Password policy screen which is accessed via the login screen discussed above.