Knowledge Base

Password Policy change details for OMS, WebHost, Reseller, and EPKI accounts

July 21, 2021 in Sectigo Certification Authority, Partner Support and Notifications

Password information for Customer accounts:
Enhancing the security on passwords is important for Sectigo and its customers, effective July 24/25, 2021, the following changes will be enabled:

  • Passwords will be checked against the "Have I Been Pwned (HIBP)" service.
  • Passwords will need to be a minimum of 12 characters with no complexity requirements.
  • Should the HIBP service identify a possible match, then you will be prompted to specify a different password.


What to expect as a Customer:

  • You will not be forced to change your passwords with the deployment of this patch (unless your password was previously scheduled for an update).
  • The validity of current passwords will be preserved.
  • Once the validity of your password has lapsed, you will be prompted to change it. In doing so, you allow for the new rules to govern this new password which will then be valid for (up to) 1 year.


Important Information about the “Have I Been Pwned" service

  • No sharing of plain passwords with a third-party service is going to take place
  • The password is hashed and only the first 5 characters of this password hash are sent to the HIBP service to fetch the suffix of every hash beginning with this specified prefix and to check the customer’s password hash against this retrieved list
  • please refer to “Searching by range” section at https://haveibeenpwned.com/API/v3#PwnedPasswords for more details

Related articles