Xoxoday requires passwords of at least 8 characters including an uppercase letter, a special character from # $ % * &, and a numeric digit, enforces a mandatory rotation every 45 days, and automatically locks accounts after three consecutive failed login attempts.
Password Policy Overview
Password security is a foundational control in enterprise access management. Xoxoday enforces a structured password policy covering complexity, rotation schedules, and brute-force protections — addressing requirements commonly evaluated under ISO 27001 and SOC 2 Type II audits. These controls apply across all account types and are not configurable by individual users.Complexity Requirements
Every Xoxoday account password must satisfy four criteria at the point of creation or reset: a minimum length of 8 characters, at least one uppercase letter, at least one numeric digit, and at least one special character drawn from the permitted set —# $ % * &. All four conditions must be met simultaneously; partial compliance is rejected at input.
Consider an HR administrator onboarding your organisation onto Xoxoday after provisioning users from SAP SuccessFactors or Darwinbox. Before gaining access to configure a recognition programme, that administrator must set a password that clears every complexity rule. The same requirement applies whether access comes through a direct login or an integration with Microsoft Teams or Slack.
Password Expiry and Rotation
Xoxoday sets password validity at 45 days. When a password reaches this age, users are prompted to create a new one before proceeding. This rotation interval limits the exposure window if a credential is ever compromised — a control aligned with NIST SP 800-63 and ISO 27001 guidance on periodic authentication review. For organisations managing access through an identity provider or an HRMS like Workday, Xoxoday’s own password expiry policy remains active unless access is managed entirely through a federated SSO configuration. Teams operating in hybrid environments should factor this into their access lifecycle procedures.Account Lockout After Failed Attempts
Xoxoday locks an account automatically after three consecutive failed login attempts. Locked accounts require secure re-authentication before access is restored. This control directly counters brute-force and credential-stuffing attacks — a particularly relevant safeguard for distributed teams where Xoxoday sessions may persist across embedded integrations in Microsoft Teams or Slack. The three-attempt threshold is deliberately calibrated: low enough to block automated attack tooling, yet accommodating enough for a genuine user who has recently changed their password and is typing from memory.Compliance and Audit Relevance
Xoxoday’s password controls — complexity rules, 45-day rotation, and lockout policy — fall within the scope of its SOC 2 Type II audit programme. IT and procurement teams conducting vendor security assessments can request the relevant compliance documentation as part of a formal due diligence process. These controls also support organisations aligning their own access management practices with ISO 27001 Annex A requirements around authentication and access restriction. Learn more: Xoxoday Help Centre — Data protection and securityDoes Xoxoday support SSO and federated authentication?
Learn how Xoxoday integrates with enterprise identity providers to centralise access control and reduce credential sprawl.
How does Xoxoday handle data encryption at rest and in transit?
Understand the encryption standards Xoxoday applies to stored data and data moving across its infrastructure.