Password Management Policies

The Password Management Policies plugin allows helpdesk Administrators to enforce custom password requirements for Agents and Users in the helpdesk.

First, you must download the plugin from our website. Please make sure you select the appropriate version of osTicket before proceeding to the plugin selection. Once downloaded, upload the plugin to your server and place it in the include/plugins/ folder. Make sure the plugin has appropriate file permissions and ownership so the webserver can read and execute.

Now you can install the plugin by logging into your helpdesk and navigating to Admin Panel > Manage > Plugins. Click Add New Plugin and click Install next to the desired plugin.

Add New Plugin

Install Plugin

To enable the plugin click on the name of the plugin in the list of installed plugins, set Status to Active, and Save Changes.

Enable Plugin

Once the plugin has been installed and enabled, it can be configured by going to:

Admin Panel | Manage | Plugins | Password Management Policies | Instances

All Plugins

Password Management Policies Instances

To add a new instance simply click Add New Instance. Give the new instance any Name you want, set the Status to Active, and click the Config tab to start configuring the instance.

Add New Password Management Policies Instance

Password Management Policies Configuration

The following configurations can be set for passwords:

Minimum length

Passwords must have at least the amount of characters specified here.

Character classes required

The different classes referenced here are uppercase characters, lowercase characters, numbers, and special characters (Ex: @,#,$,>,etc.).
Depending on the option you choose here, (2, 3, or 4), passwords must contain characters in at least that many classes.

Character Class Options

Password with two classes:

Password with three classes:

Password with four classes:

Password strength

Password Strength Options

For password strength, you can choose to accept any strength, or you can choose to specify that passwords must have a strength that is at least weak, good, strong, or awesome.
The strength of a password depends on characters used, the case of characters used i.e. uppercase or lowercase, and the length of the password.
The easiest way to increase password strength is to use different classes for the characters in a passsword. The less classes used, the more the length of the password would need to be
to meet the strength requirement. You can read more about password strength here.

Enforce on login

If you choose to enforce the password policy on login, Agents and Users will be prompted to update their password to meet the requirements of the policy before using the helpdesk.

Enforce on Login

Password reuse

By default, the password policy plugin is configured to force Agents/Users to create new passwords when resetting them, however, an Administrator can check this box to allow the same password to be used multiple times.

Password expiration

Password Expiration Options

This gives Administrators the option to choose how often Agents/Users should be required to change their password. By default, this option is set to where passwords never expire.

Setting the Password Policy

Once the password policy has been configured, the Administrator can choose the policy for Agents and/or Users.

To use the password policy for Agents, go to:
Admin Panel | Settings | Agents | Password Policy | Password Management Plugin

Agent Password Policy

To use the password policy for Users, go to:
Admin Panel | Settings | Users | Password Policy | Password Management Plugin

User Password Policy

Note: ‘Default Basic Policy’ refers to the legacy policy that was put in place prior to the current version of osTicket. The previous policy allowed Administrators to set the
password expiration for Agents. If none was set up previously, passwords in the current help desk will never expire.