Default Policy
The default password policy by Visma is listed below.
If you want to customize the Password Policy for your companies own email domain(s) you can do that by using Authentication Settings if your company has got access to it.
Feature | Setting |
|---|---|
Password minimum length | 8 |
Minimum required digit (0-9) characters | 1 |
Minimum required uppercase (A-Z) characters | 1 |
Minimum required lowercase (a-z) characters | 1 |
Minimum required special characters | 1 !"#$%&'()*+,-./:;<=>?@[]^_`{|}~ + language specific special chars |
User may change password | yes |
Keep password history. Remember n passwords | 5 |
Lockout account after n login failures | 8 |
Reset failure count after n minutes | 10 |
Lockout duration n minutes | 30 |
Password expires after n days | no expiry |
Expiration warning after login is shown n days before password expires | n/a |
Compromised Password Prevention
To strengthen account security, Visma Connect checks all new and updated passwords against the “Pwned Passwords” dataset maintained by Have I Been Pwned. This dataset contains hundreds of millions of passwords exposed in known data breaches around the world. Using a password from this list—even if it meets complexity rules—significantly increases the risk of compromise, so it is forbidden.
If the password is found in the breached list, it is rejected immediately, and the user must select a different one. This measure aligns with best-practice guidelines, including NIST recommendations, to block “previously breached” passwords.
In addition, whenever the Pwned Passwords dataset is updated, Visma Connect re-checks active accounts against the new version during next login. If a user’s current password appears in the updated compromised list, the user will be prompted at login to change it before continuing (example screeenshot below).
This check is a mandatory part of the security framework and cannot be disabled in a custom password policy. This ensures a consistent baseline of protection across all accounts.
By enforcing this policy, Visma Connect reduces the risk of credential-stuffing attacks and ensures that even strong-looking passwords are truly unique and safe. This approach helps protect both user accounts and the broader security of our systems.
