Administrating Realms : About realm security : About the password policy and TOTP
  
About the password policy and TOTP
Enable password and two-factor authentication policies for maximum security. Generally, you’ll want to set these policies at the realm level, where they will be applied to all accounts including realm administrator accounts. Just be aware that enabling a password policy automatically logs out all users from the system. You can enable individual, non-realm administrator accounts to override some aspects of realm authentication policies, if needed. See About Riverbed Support access.
When two-factor authentication is enabled, users will need to enter a random, auto-generated passcode in addition to their login credentials. Users can choose to receive passcodes through email, text messaging (SMS), or a time-based one-time passcode (TOTP) application on their mobile device.
If you plan to use a loopback method using mobile messaging (SMS), each administrator account must be configured with a mobile number.
All passwords must meet these requirements:
The password must meet or exceed the required minimum number of characters. By default, the minimum password length is eight characters. A realm administrator can change the minimum length.
The password must contain one uppercase character (A to Z).
The password must contain one lowercase character (a to z).
The password must contain one digit (0 to 9).
The password must contain at least one special character (~`!@#$%^&*()-_+={}[]|\;:"<>,./?).
The password cannot repeat any of the previous five passwords.
The password cannot contain personal details such as a name or a phone number.
These settings are available when the password policy is enabled:
Password expiration time (in days)—Specify the number of days the current password remains in effect. The default is 30. The maximum is 60. The minimum is 1. A password expiration warning will appear for every login when seven or fewer days remain in the expiration period. When a user fails to reset a password within the given expiration time, the administrator must reset the password for the next login.
Number of failed logins allowed—Restrict the number of failed login attempts by specifying the maximum number of unsuccessful login attempts before blocking user access to the realm. The user is prevented from further login attempts when the number is exceeded. The default is 3.
An error message appears on the login page after each failed login attempt. The error message shows the number of login attempts remaining before access to the realm is locked. When the login attempts exceed the number of failed logins allowed, the account is locked.
An administrator can click the Forgot Password link on the login page to unlock a locked account. Optionally, the user can ask the realm administrator to reset the password.
Resetting a password requires a registered email address or mobile phone number for the user. When a user doesn’t have a registered email address or mobile phone number, the realm administrator can specify a temporary password. A temporary password has no password characteristic requirements because it’s only used once. After the user has correctly entered the temporary password, they must immediately create a new password that complies with the password policy criteria.
Minimum length of password—Specify the minimum number of characters for the password length. The default is 8.