There are several rules for logging in to our system:
- When logging in, a user provides a user name and password
- The user name is a non-blank, unique string containing just about any characters.
- The password is a non-blank, unique string containing just about any characters.
- If a user attempts to log in and provides a valid account but invalid password three times, their account is revoked, and can only be enabled by calling customer support
- However, if, for the same session, the user uses different account names, then the account will not be revoked (e.g. try to log in as brett1, brett1, brett2, three failed attempts but the user name is changed, no account gets revoked).
- Failed login accounts are not maintained between different sessions. E.g., a user opens up two browsers and fails to log in twice to brett1 in one window and fails to log in twice to brett1 in another browser, their account is not revoked.
- A user cannot login to a revoked account
- A user must change their password every 30 days, so if they attempt to log in and the password is expired, then the user must change their password before they can successfully log in
- A user cannot use any of their previous 24 passwords
- User accounts have a time stamp of the last time the account was used (logged in, logged out, password changed). If an account has not been used for 45 days, then the account becomes revoked and can only be enabled by calling customer support.
- Users can log in up to 4 times. If a user is already logged in 4 times, they can reset all logins and then login again.
Comments