SAP Knowledge Base Article - Public

2082045 - Manage External Password Policy and Candidate Login Attempts - Recruiting Management

Symptom

  • Can we set different Password Policies for our external recruiting candidates?
  • How to manage the maximum successive failed login attempts for External Candidates?

Images/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors Recruiting Management

Resolution

You now have the option to create separate password policies for internal users and external users. This option is useful if you want to have a more restrictive policy for internal users but, for convenience, a more relaxed policy for external users.

  • How to enable this functionality?

If the functionality "Manage External Password Policy" is not available in admin center, please contact SAP Success Factors support to enable it in the backend, in Provisioning.

If the functionality "Manage External Password Policy" is not available in Admin Center, please contact your Implementation Partner or SAP SuccessFactors Support to have it enabled in Provisioning: Company Settings > Enable Separate Password Policy for External Candidates.

The feature has to be permissioned accordingly:

RBP: Admin Center > Manage Permission Roles > select a Role > Permission > Manage Recruiting > Manage External Password Policy permissions > Done

Non-RBP: Admin Center > Manage Recruiting Administration > Check the box Manage External Password Policy and grant permission

  • How to configure "Manage External Password Policy"?

password.PNG

The rules specified will be made visible to candidates on the account creation screen if the candidate hovers over the Password Policy link.

policy.PNG

When this is used, the candidate will see a bar next to their password field indicating their password strength and the point where their password becomes acceptable.

career.PNG

Option Recommended Function
Minimum Length 8 Minimum number of characters the password must contain to be acceptable
Maximum Length 18 Maximum number of characters the password may contain

Maximum Successive Failed Login Attempts

If you have previously disabled this feature by setting the value to 0, it has now been enabled and the default value is set to 10. It is not possible to disable this feature due security reasons. You must set a number greater than "0" as the value of this field.

5

Specifies how many attempts can be made within 60 seconds before the account is locked. The configured value must be greater than "0". If the candidate or agency user tries and fails all of the specified number of attempts, their user account will be locked. This account can then be unlocked by using the "Forgot Your Password?" link on the login page.

Case Sensitive (recommended) Checked Causes the password to distinguish between capitalized and non-capitalized letters

Mixed Case required

Will be ignored if Case Sensitive is not checked

Checked Requires that the password contain at least one capitalized and at least one non-capitalized letter
Non-alpha characters required Checked Requires that the password includes at least one character other than a letter
  • How to set up the "Maximum Successive Failed Login Attempts"?
  1. Go to Admin Center
  2. Go to Manage External Password Policy
  3. Set a Maximum Successive Failed Login Attempts

maximum successive failed login attemps.PNG

Note:

  • Due to security concerns, the system now enforces a limit on the maximum successive failed login attempts. Previously, setting this field to 0 meant that this was not enforced.

  • If the setting is 10, it means that if a user tries unsuccessfully to login more than 10 times in one minute, their account will be locked, and they won’t be able to login to their Candidate Profile. They are given the following message on the login screen: "You have been locked out of your account because of too many failed login attempts. To have your account re-activated use the 'Forgot your password?' link below." This message is not configurable, and it sufficiently conveys the next steps to unlocking and resetting the password to legitimate users. 

  • Maximum Failed Login Attempts setting that can be set up is 30.

See Also

2088622 - Passwords: The Security of our Passwords - Platform

2420640 - Passwords: Configuring Password & Login Policy Settings - SuccessFactors Platform

2088609 - Passwords: Is there a secure way to give a new user their password? - Platform

2081617 - Employee to Candidate Deconversion - Recruiting Management

2080916 - Application Mass Actions - Recruiting

Keywords

SF, Success Factors, RCM, external candidate, login attempt, candidate account, external career site, primaryEmail, contactEmail, candidate locked, candidate login. , KBA , sf passwords , sf candidate , sf recruiting admin tools , sf recruiting management , sf external candidates , sf recruiting troubleshooting , LOD-SF-RCM , Recruiting Management , How To

Product

SAP SuccessFactors Recruiting all versions