Staff Authentication Password Requirements

Print Friendly and PDF Follow

Starting with ILLiad 9.0, sites can set password requirements for staff using the StaffPasswordComplexity key. Existing sites will have this key set to .* to preserve existing functionality, but new installations will have the complex password requiring at least 8 characters, including an upper and lower case letter and a number. The Staff Manager does have an override ability that will prompt 'Password does not meet requirements. Would you still like to set the password?' when a password does not meet the specified requirements.

Default Password Requirement

In order to require at least eight characters with at least one lowercase letter, one uppercase letter, and one number, the following regular expression should be entered as the value for the StaffPasswordComplexity key:


With the ILLiad default password requirement, passwords must contain:

  • At least 8 characters
  • At least 1 lowercase letter
  • At least 1 uppercase letter
  • At least 1 number

Setting the Password Requirement

To set the default validation rule for Staff passwords:

  1. Open the ILLiad Customization Manager.
  2. Navigate to System | General.
  3. Locate the StaffPasswordComplexity key.
  4. Change the value to ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$
  5. Click Save.

Editing the Password Requirement

The default Staff password requirement can be edited to fit specific institution needs. This is done by simply editing the regular expression that sets the password requirement.

See Testing Regular Expressions for more information about regular expressions.

  1. Navigate to System | General in the ILLiad Customization Manager.
  2. Locate the StaffPasswordComplexity key.
  3. Change the value to the regular expression you want to use.
  4. Click Save.

Password Examples

The default requirement above (^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$) breaks down roughly as:

  • A ^ and $ character to indicate the beginning and end of the text.
  • A series of (?=.*#character class#) elements, which look ahead to make sure at least some part of the text matches the given #character class#, which includes
    • \d - any number
    • [a-z]any lowercase number
    • [A-Z]any uppercase number
  • .{8,} to ensure the text is at least eight characters.

Here are some examples of some common complexity requirements expressed as regular expressions. Remember that the web validation fields cannot exceed 255 characters when designing your regular expressions, and to change the rule for both the registration and the change password forms.

Require at least eight characters with at least one letter, one number, and one symbol
Require between 8 and 20 characters with at least one letter and one number
Require at least 10 characters
Requires a password of at least eight characters with characters coming from at least two of the following three groups: letters, numbers, and symbols.

Encryption for Stored Passwords 

Staff passwords are stored with enhanced encryption methods using the Password-Based Key Derivation Function 2 (PBKDF2) hashing strategies. The iterations (default value: 156,000) store the hashed passwords as an algorithm. When a user logs in with a password, it will be compared with the hash algorithm to verify the password is correct before permitting clearance into ILLiad.

The default value can be changed in the Customization Manager by changing the value of the StaffPasswordHashingIterations key. If you wish to change the default iterations, it's highly recommended to contact support for the number of iterations that work best for the speed of your computer and the hash algorithm. Generally, hash iterations should not be set to less than 100,000. 

FIPS Compliance

As of v9.0, FIPS (Federal Information Processing Standards) can be enabled for ILLiad. This standard:

FIPS compliance will be supported with ILLiad after the hashing customization keys (StaffPasswordHashingIterations and WebPasswordHashingIterations) are set in the Customization Manager with a numerical value. 

If you need to utilize FIPS on your system, you must update ALL passwords for staff members prior to activating it, or FIPS checking will prevent the system from running for the respective Staff user. 

FIPS also affects the staff's ability to change user passwords for patrons who have not updated their passwords after enabling FIPS compliance.


If this article didn’t resolve your issue, please contact Atlas Support for assistance:

Contact Support