Xoxoday enforces institution-defined password complexity requirements—including minimum length, character composition, expiration periods, password history, and account lockout thresholds—across both local and SSO-fallback authentication.
Password Complexity Controls in Xoxoday
Xoxoday supports fully configurable password policy settings that allow institutions to define and enforce specific security requirements aligned with their IT governance standards. Whether your organization follows ISO 27001 controls or SOC 2 Type II requirements, Xoxoday’s policy engine is built to accommodate them without custom development. Administrators can set a minimum password length—commonly 8 or more characters—and require specific character composition: uppercase letters, lowercase letters, numbers, and special characters. These requirements are enforced at the point of password creation and reset, so users cannot bypass them through the self-service flow.Preventing Weak and Reused Passwords
Xoxoday includes controls to block common, breached, and dictionary-based passwords. A user attempting to set a password like “Password1!” or any credential appearing in known breach lists is automatically rejected—without manual IT intervention. Password history enforcement prevents users from cycling back to recent credentials. If your policy requires that the last 10 passwords cannot be reused, Xoxoday tracks and enforces that history across the account lifecycle. Password expiration and aging policies are also configurable—for example, requiring all users to reset passwords every 90 days, with automated prompts guiding users through the reset process before the window closes.Account Lockout and Brute-Force Protection
Xoxoday enforces account lockout thresholds after a defined number of consecutive failed login attempts, limiting exposure to brute-force attacks and aligning with frameworks like SOC 2 Type II. Administrators configure the lockout duration and unlock accounts manually through the admin console when needed.Per-Client Configuration and SSO Compatibility
All password policies in Xoxoday are configurable on a per-client basis, making it straightforward to apply different rulesets across business units or subsidiaries. These policies remain active across local authentication and in environments where SSO fallback or password-based access is enabled alongside identity providers such as Workday or SAP SuccessFactors. For organizations using Darwinbox or similar HCM platforms as their source of truth, Xoxoday’s administrative interface lets IT teams align password rules during onboarding—so security configurations are consistent from day one. Xoxoday also provides guidance through the onboarding process to ensure password complexity settings match your institutional IT security standards before go-live. Learn more: Xoxoday Help Centre — PasswordDoes Xoxoday support Single Sign-On (SSO)?
Learn how Xoxoday integrates with SAML 2.0 and OIDC identity providers to enable SSO across your organization.
Does Xoxoday support multi-factor authentication (MFA)?
Understand how Xoxoday adds an extra layer of login security through MFA enforcement for all user accounts.