1. CORE Help Center
  2. Getting Started
  3. Best Practices
  4. Security

Password and account security settings

Updated

The following outlines how BQE CORE handles password and account lockout security configurations. These settings are designed to provide a balance between user convenience and data protection.

Enforce Password History

CORE does not track or retain a history of user's previous passwords. As a result, users are free to reuse any prior password without restriction.

Maximum Password Age

There is no password expiration policy in place. Users are not required to change their passwords on a regular basis.

Minimum Password Age

Users can change their passwords at any time. There is no enforced waiting period between changes.

Password Length

CORE enforces a minimum password length of 8 characters. There is no enforced maximum character limit.

Password Complexity Requirements

To ensure strong credentials, all passwords must meet the following criteria:

  • Must include at least one uppercase letter (A–Z)
  • Must include at least one lowercase letter (a–z)
  • Must include at least one digit (0–9)
  • Must include at least one special character from the following:! @ # $ % ^ & * ( )
  • Must be at least 8 characters in length 

Password Storage and Encryption

Passwords are stored using forward-only hashing. This means:

  • Passwords are encrypted in a way that cannot be reversed (no decryption is possible)
  • There is no secret key to retrieve or decode the original password
  • Existing users continue to use the BQE encryption method
  • New users and existing users who update their login credentials are assigned the more secure irreversible password format 

Account Lockout Duration

If a user exceeds the allowed number of failed login attempts, their account will be locked for 10 minutes. During this time, the user will see the message:

Your account has been locked due to repeated failed sign-in attempts. Please try after 10 minutes.

Account Lockout Threshold

Accounts are locked after 5 consecutive failed login attempts. 

Reset Account Lockout Counter

If fewer than five failed attempts are made and no further attempts occur within 10 minutes, the failed attempt counter resets to zero. This means all 5 failed attempts must occur within a 10-minute window to trigger the lockout.

Related articles