Manage passwords

Configure password policies for users who authenticate with MAS using passwords.

Password policies control how users create, update, and use passwords in MAS.

You must have both the Merchant Admin and Manage User Policy roles to configure password settings.

These settings apply to all users who do not use SSO.

📘

If you use Single Sign-On (SSO), password policies are managed in your identity provider. See Single Sign-On (SSO).

Password policy

Passwords must meet the following requirements:

• Minimum length of 15 characters
• At least one uppercase character
• At least one lowercase character
• At least one number
• At least one symbol

Passwords are configured with the following security settings:

• Users must change their passwords every 90 days
• Users cannot reuse their last 10 passwords
• The system locks accounts after 5 failed login attempts
• Locked accounts remain inaccessible for 15 minutes

Changes apply immediately to all users in your organisation.

Password expiration

When a password expires:

• The user cannot log in
• The account is set to Disabled
• The user must reset their password to regain access

For more information about user status, see Manage users

Account lockout

If a user exceeds the failed login threshold:

• The account is locked or disabled, depending on configuration
• The user receives an email with next steps

Accounts can be unlocked by an administrator or reset by the user.

Security

Previous passwords are stored using a one-way hash and cannot be reused, based on the configured policy.