Information for: DEVELOPERS   PARTNERS

Password strength in Acquia Cloud

Acquia Cloud enforces a security policy for passwords used to access the Acquia Cloud interface. This security policy determines how strong (resistant to guessing) user’s passwords must be.

The password strength policy applies only to the Acquia Cloud interface, and does not apply to your Drupal websites.

Password requirements on Acquia Cloud

Acquia Cloud applies several rules to determine a password’s strength, which are based on the entropy (randomness) of the sequences in the password. All passwords used for accessing the Acquia Cloud interface must meet the following criteria:

  • Is at least 12 characters in length
  • Contains at least one capital letter
  • Contains at least one lower case letter
  • Contains at least one special character
  • Does not reuse any of the user’s previous 24 passwords

Testing password security when changing passwords

As a user types a new password, the Acquia password policy system tests and reports the password’s strength. If a user attempts to create a password that does not satisfy Acquia’s password strength requirements, Acquia Cloud will display an error message that describes why the password strength is insufficient, such as the following message:

The following issues were detected with your password:
* It is fewer than 12 characters.
* It does not include at least 1 special character.

Protecting against brute-force attacks

The Acquia Cloud interface is also protected from brute-force attacks by the following policies that limit how many sign-in attempts can be made:

  • After three failed sign-in attempts during a 30 minute timeframe from a single user and IP address, that user name (email) and IP address combination is blocked from signing in for one hour.
  • After 50 failed sign-in attempts in an hour from a single IP address, that IP address is blocked from signing in for one hour.