Password Complexity Settings
Password Complexity Defaults
This document explains the password-related entries that can be stored in the Defaults table.
These settings let you decide:
whether password validation should be skipped for some users
what the normal password rule is
whether some users should follow a stronger rule
whether internal users should follow their own rule
what message the user sees when a password does not meet the rule
The Short Version
If you only want one password rule for everyone, the main settings are:
VALIDPASSWORDEXPRESSIONVALIDPASSWORDTEXT
If you want a stricter rule for some users, also use:
USESTRONGVALIDATIONALWAYSorUSESTRONGVALIDATION-[UserType]STRONGPASSWORDEXPESSIONVALIDPASSWORDTEXTSTRONG
If you want internal users to follow their own separate rule, also use:
INTERNALPASSWORDEXPRESSIONVALIDPASSWORDTEXTINTERNAL
If no applicable custom password expression is set, the system falls back to:
minimum 6 characters
maximum 20 characters
How The System Chooses Which Rule To Use
The system works through the password settings in this order:
If
SKIPEXTERNALPASSWORDVALIDATIONis set toY, external users skip the custom password-rule settings.If the user is internal and
INTERNALPASSWORDEXPRESSIONhas a value, that internal rule is used.If strong validation is turned on and
STRONGPASSWORDEXPESSIONhas a value, that strong rule is used.Otherwise, if
VALIDPASSWORDEXPRESSIONhas a value, the normal generic rule is used.Otherwise, the system uses the built-in default of 6 to 20 characters.
What "Valid" And "Strong" Mean
VALIDPASSWORDEXPRESSION is the normal password rule.
STRONGPASSWORDEXPESSION is not a different type of rule. It is simply a second password rule that is used only when strong validation has been turned on.
In other words:
VALID...= the standard ruleSTRONG...= an alternate rule that is used only when enabled
If both are configured, the system does not combine them. It chooses one based on the rule order above.
Default IDs
Default ID | Plain-English Meaning | When It Is Used | If It Is Blank Or Missing |
|---|---|---|---|
| Tells the system to skip the custom password rules for external users when set to | Only matters for external users. | Treated as not enabled. In practice, the default behavior is |
| The password rule for internal users. | Used only for internal users, and only if it has a value. | No internal-specific rule is used. The system moves on to the strong rule, then the standard rule, then the built-in 6 to 20 character rule. |
| Turns on the strong password rule for everyone when set to | Checked before any user-type-specific strong setting. | Treated as |
| Turns on the strong password rule for one user type when set to | Used only when | Treated as |
| The stronger alternate password rule. | Used only when strong validation is turned on. | No strong rule is applied. The system falls through to |
| The normal password rule. | Used when no internal rule applies and no strong rule is active. | The system uses the built-in default rule of 6 to 20 characters. |
| The message shown when the internal password rule fails. | Used when | No custom internal message is available. |
| The message shown when the strong password rule fails. | Used when | No custom strong-rule message is available. |
| The message shown when the normal password rule fails. | Used when | No custom standard-rule message is available. |
Valid Values For [UserType]
The [UserType] part in USESTRONGVALIDATION-[UserType] should use the exact user type name.
The values most relevant to password rules are:
InternalDirectAgentCustomerVendorDirectApiTourAccounting
Examples:
USESTRONGVALIDATION-InternalUSESTRONGVALIDATION-DirectUSESTRONGVALIDATION-Agent
If you are using LDAP/LDAPS authentication in Softrip, password complexity requirements for internal users are defined in your Active Directory and these settings have no effect.
Optional Related Defaults
These are optional. Most clients will not need them unless they want more specific password failure messages.
Default ID | Plain-English Meaning | If It Is Blank Or Missing |
|---|---|---|
| A | No custom length-specific message is used. |
| Individual password requirements that can be checked separately, such as "must include a number". | The system does not break the password rule into separate named requirements. |
| The message tied to the matching | No separate rule-specific reason text is available. |
Recommended Simple Setups
If you want one standard rule for everyone:
Set
VALIDPASSWORDEXPRESSIONSet
VALIDPASSWORDTEXT
If you want one standard rule for everyone, but a stronger rule for selected user types:
Set
VALIDPASSWORDEXPRESSIONSet
VALIDPASSWORDTEXTSet
STRONGPASSWORDEXPESSIONSet
VALIDPASSWORDTEXTSTRONGTurn on
USESTRONGVALIDATION-[UserType]for the user types that should use the stronger rule
If you want internal users to have their own rule:
Set
INTERNALPASSWORDEXPRESSIONSet
VALIDPASSWORDTEXTINTERNAL
Important Notes
STRONGPASSWORDEXPESSIONis spelled exactly this way in the system. The spelling must match exactly.VALIDPASSWORDEXPRESSIONis the normal fallback custom rule.If no matching custom expression is configured, the system still enforces the built-in rule of 6 to 20 characters.
Suggested Settings
Softrip suggests using strong password validation for all users with the following criteria:
8-20 characters
At least one of each:
Digit
Special character
Uppercase letter
Lowercase letter
The regular expression for password validation for these criteria is:
^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z\d]).{8,20}$
If this suggested setup meets your requirements:
Set
VALIDPASSWORDEXPRESSIONto^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[^A-Za-z\\d]).{8,20}$Set
VALIDPASSWORDTEXTto a user-facing message such as:Password must be 8 to 20 characters and include at least one uppercase letter, one lowercase letter, one number, and one special character.Set
SKIPEXTERNALPASSWORDVALIDATIONtoNRemove or clear all other password-related settings