Password Policies and User Access

WhosOnLocation’s User Administration and User Access Policies provides support for the requirements and the compliance needs of publicly-traded companies by ensuring robust password authentication, and controlled system access to your WhosOnLocation account.

Organizations that must comply with OWASP, HIPAA, or the Sarbanes-Oxley Act (SOX) need a password authentication and user access management solution that provides the following capabilities:

  • Ensures User access to only those systems and applications required for their jobs;
  • Enforces strong password policies, especially for Users who have access to sensitive or protected records;
  • Ensures enterprise access privileges are removed when an employee leaves the organization;
  • Eliminates Users’ need to share authentication information with the Help Desk or IT staff for password reset or system access;
  • Automates password reset processes to eliminate human error; and
  • Ensures complete, accurate audit trails for all changes in access rights.

This policy looks at:

  • Password Standards and Reset Options in WhosOnLocation

WhosOnLocation's Head of Systems Security reviews and updates these procedures periodically in response to changes in industry standards, law, regulation, or WhosOnLocation policy.

Password Standards

Best Practice and security auditors recommend that to meet the minimum for compliance, with standards like OWASP, HIPAA, and the Sarbanes-Oxley Act passwords should:

  • Be a minimum of six, preferably eight, characters in length,
  • Be a combination of uppercase and lowercase letters,
  • Mixed with numbers and symbols (!, @, #, $, for example).
  • Not contain personal information, such as the names of spouses or family members (including pets!), or any information that an attacker could easily derive from a user.

Passwords should be changed every 45 to 90 days and should be different every time.

The purpose of making passwords more complex and indecipherable is to prevent so-called dictionary attacks, where hackers run password hash files which look for common words in dictionaries used as passwords.

WhosOnLocation recommends strong password use. We offer three levels of Password Security:

  • Simple: minimum of 6 characters;
  • Standard: (the default) minimum of 6 characters; combination of uppercase and lower case letters;
  • Complex: (recommended) minimum of 8 characters, combination of uppercase and lower case letters; mixed with at least one number and one symbol (!, @, #, $, for example).

WhosOnLocation Account Owners can set their Password Security Policy level under Tools < Account > User Access.

Password Reset Options

WhosOnLocation recommends that passwords be changed every 45 Days however we recognize that password resetting policies vary from customer to customer. We offer three options for forcing a password reset:

  • Do not force change: (the default) Users are not forced to reset their passwords;
  • After 30 Days: Users must change their password every 30 days
  • After 45 Days: Users must change their password every 45 days
  • After 90 Days: Users must change their password every 90 days
  • After 180 Days: Users must change their password every 180 days
  • After 365 Days: Users must change their password every 365 days


Password Strength and Reset settings will not apply where the customer account maintains User Access via Single sign-on with JSON Web Token (JWT) or Single Sign-on with SAML.

Password login attempt limitation

To protect all accounts and Users WhosOnLocation:

  • Does not allow internet browsers to remember User Passwords and Credentials.
  • Limits login attempts to 3 then blocks access for 5 minutes from the users IP Address.

How to reset your Password

  1. Click the Forgot your password link
    1. On the Change Password page the User enters their Email Address
    2. The User is automatically sent a conformation email with a link to create a user password. This assumes the User’s email address entered is a validated email address stored in their account.
    3. Once the User has received the email, they need to click on the URL included in the email body, which will direct them to the Change Password page.

They can then then sign into WhosOnLocation using their new Password.


Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request