Canvas Guides (English)Canvas GuidesCanvas Admin GuideAuthenticationHow do I manage Canvas password requirements and login attempts for an account?

How do I manage Canvas password requirements and login attempts for an account?

If the Enhance password options setting is enabled in Account Feature Options, you can customize login policies in Authentication Settings. You can customize password requirements and control the number of login attempts allowed.

Notes:

  • Currently, users with existing passwords that do not comply with updated policies cannot be prompted to update their passwords. Passwords in Canvas are cryptographically hashed and not stored in plain text, making it impossible to identify password violations.
  • Administrators setting passwords on behalf of another user may not currently be required to follow the password requirements, depending on configuration options, which can only be activated by Instructure.
  • SIS imports of passwords may not currently be required to comply with the password requirements. SIS import errors may or may not occur after an SIS import, depending on configuration settings. If an institution is uploading passwords via SIS import, it is recommended to validate that the passwords meet the password requirements before uploading.

Open Account

Open Account

In Global Navigation, click the Admin link [1], then click the name of the account [2].

Open Authentication

Open Authentication

In Account Navigation, click the Authentication link.

Open Password Options

Manage Canvas Password Options

In the Password Options section of Authentication Settings, click the View Options button.

Note: The View Options button in the Password Options section is only available when the Enhance password options setting is enabled in Account Feature Options.

View Password Options

View Password Options

In the Password Options tray, you can view the current password requirements [1], edit password requirements [2], and manage login attempts [3].

Edit Password Requirements

Edit Password Requirements

By default, user passwords must include a minimum number of eight characters. To increase the minimum number of characters required in passwords, keep the Minimum character length checkbox enabled [1]. Then, enter a number in the minimum character length field or click the up and down arrows [2]. (The minimum character length must be at least eight and no greater than 255.)

To allow passwords of any length, click the Minimum character length checkbox to disable the length requirement.

To require user passwords to include numbers, click the Require number characters (0...9) checkbox [3].

To require user passwords to include symbols, click the Require symbol characters (ie. !@#$%) checkbox [4].

Customize Forbidden Words/Terms

Customize Forbidden Words/Terms

By default, some words/terms are forbidden; users cannot include them in their passwords. To view a list of the default forbidden words/terms, click the see default list here link [1].

To add your own words/terms to the default list of forbidden words/terms, click the Customize forbidden words/terms list checkbox [2]. Create a TXT file containing one word/term per line. Then, click the Upload button [3] and select the text file.

Manage Login Attempts

Manage Login Attempts

When a user exceeds the maximum number of login attempts, their account is suspended for five minutes. After five minutes, the user can try to log in again, but the user is not allowed more than 20 attempts.

By default, a single user is allowed ten unsuccessful consecutive login attempts before their account is suspended. To change the maximum number of allowed attempts before an account is suspended, click the Customize maximum login attempts checkbox [1]. Then, enter a number in the Maximum Login Attempts field or click the up and down arrows [2].

To require suspended accounts to be unsuspended by an institution admin, click the Make login suspension persistent checkbox [3].

Apply Password Options

Save Self Registration

Click the Apply button.

Settings Saved

A banner message confirms password setting changes.