ComplianceAuthenticationPassword policy

Password policy

Last updated: Jun 12, 2026

Objective

The objective of this document is to define the measures and configurations implemented by Fluid Attacks in its internal password management. These measures are intended to ensure the strength and protection of passwords used in the system, following recommended security best practices.

Description

The internal password management policy at Fluid Attacks has been established to guarantee the security and protection of the organization's data and systems. Below are the specifications and configurations implemented.

Specifications

  • Minimum password length: Passwords must have a minimum length of 16 characters to increase complexity and resistance to brute force attacks.
  • Character requirements: Passwords are required to contain at least 1 lowercase character, 1 uppercase character, 1 numeric character, and 1 special character. This helps diversify the elements that can be part of a password.
  • Password lifespan: A password lifespan of 6 months is established. If there is evidence of compromise, the password change is done immediately. This aligns with the latest updates to the NIST SP 800-63B guidelines.
  • Password expiration notification: Users will receive a notification 5 days before their password expires, reminding them to change it.
  • Password history count: A history of the previous 24 passwords is recorded to prevent the reuse of recent passwords.
  • Account locking after failed attempts: After 10 failed attempts, the user's account will be automatically locked to prevent brute force attacks.
  • Automatic unlock time: Lockouts last 10 minutes, after which the account will automatically unlock.
  • Secure password verification: Passwords are checked to ensure they do not contain the username, first and last name, or common words to avoid the use of predictable passwords.
  • Password recovery: To recover a password, users must submit a ticket through the help channel for the IT team to process it.
  • Account lockout notification: Users will be notified by email if their account is locked due to failed attempts.
  • Email recovery token lifetime: The token sent for password recovery via email will expire after 60 minutes to ensure security.

Configuration

The Fluid Attacks default password policy

Randomly generated passwords

Generated passwords must adhere to the organization's secure password policy. This requirement applies to all systems and applications used and managed by Fluid Attacks.

For newly created or reactivated accounts, Fluid Attacks uses randomly generated passwords, even if the system has a "User must change password at next login" policy implemented.

For these passwords, this configuration is applied:

  • Maximum length of 64 characters (if a system does not support the specified length, generated passwords shall be set as the maximum length supported)
  • Uppercase and lowercase letters
  • Numbers and symbols (if the system does not support specific symbols, the supported symbols shall be selected from the list available in the password generator)

Requirements

The following Fluid Attacks requirements apply to the controls described on this page:

Other secure authentication measures

Authentication for clients

Clients authenticate on the Fluid Attacks platform using SSO with Bitbucket, Google, or Microsoft via OAuth 2.0 and JWT with no passwords stored.

Authentication for staff

Fluid Attacks staff authenticate using centralized IAM with passphrases, MFA, SAML, OAuth, biometrics, and other secure measures.

On this page

ObjectiveDescriptionSpecificationsConfigurationRandomly generated passwordsRequirementsOther secure authentication measures