Setting Up Candidate Gateway Password Controls
This topic provides overviews of Candidate Gateway password controls and account lockout. It then discusses how to set up password controls.
| Page Name | Definition Name | Usage | 
|---|---|---|
| HRS_PSWD_CFG | Define password requirements for applicants. | |
| HRS_FORGT_PSW_HINT | Define questions that can be used to authenticate the identity of a user who requests a password resent using the Forgot Password option. | 
External applicants must register for a Candidate Gateway account in order to apply for jobs or access certain other features. Candidate Gateway accounts are part of the recruiting system; they are not PeopleSoft user IDs. (External applicants access the PeopleSoft system using a generic guest ID that bypasses the PeopleSoft signon page).
Candidate Gateway password control settings enable you to define password requirements such as password strength, whether passwords expire after a specified time period, whether a secret question must be answered before the system resets a forgotten password, and whether accounts are locked out after a specified number of failed logon attempts.
Password Control Validations
If you activate password controls:
- When an applicant creates an account or changes the password for an existing account, the system ensures that the new password meets all requirements. 
- If a password expires, the user is forced to set a new password during the next logon attempt. - The expiration period for passwords is part of your password control settings. 
- If the password control settings are changed, all applicants are forced to reset their password during the next logon attempt, regardless of whether the previous password meets the new requirements. 
- If the recruiting system generates a new password, the generated password conforms to password requirements except that it does not observe the expiration period because system-generated passwords are single-use passwords that must be reset on first use. - The system generates passwords when applicants use the Forgot Password option in Candidate Gateway. The system also generates passwords when a recruiting user requests references from an unregistered applicant. The generated password is included in the notification that the applicant receives. 
Password Requirement Instructions for Applicants
The system dynamically generates a description of the password requirements that you configure. Applicants see this description any time they create a password: while registering or resetting a password.
You can override the dynamically generated description with your own text using the text catalog entry HRAM_CE_PSWD_2. If this text catalog entry is populated, then the system uses the text catalog entry instead of the system-generated description.
Account lockout functionality enables you to lock applicants out of their Candidate Gateway accounts after:
- A specified number of failed logon attempts. 
- A specified number of incorrect answers to the secret question that must be answered before a forgotten password is reset. 
Lockout for Failed Logons
When lockout is enabled for failed logons, and an applicant tries to sign on with an incorrect password, the system displays a message informing the applicant how many attempts remain before the account is locked. After the final failed attempt, a message advises the applicant that the account has been locked. The system also sends the applicant this information in an email notification.
The messages about the locked account advises the applicant to use the Forgot Password option to obtain a new system-generated password that will unlock the account.
The Forgot Password process sends the applicant a system-generated password. When the applicant signs on with this password, the system forces the applicant to choose a new password. After the applicant successfully chooses a new password, the account is unlocked.
Lockout for Secret Questions
When lockout is enabled for secret questions, the system does not show any messages indicating whether an answer is correct. Instead, the system sends an email notification to the applicant. If the answer was correct, the email contains the new password. If the answer was incorrect, the email informs the applicant that the password was not reset because the question was answered incorrectly. The notification also tells the applicants how many attempts remain before the account is locked out.
When an account is locked due to incorrect answers to secret questions, the applicant can no longer use the Forgot Password option to reset the password. Instead, the applicant must contact your organization and ask an administrator to reset the password.
Email Address Required for Account Lockout
The Forgot Password option uses email to send a new system-generated password. For this reason, the Forgot Password option (and, by extension, the secret question option and the account lockout option) work only if the applicant’s email address is in the system.
To ensure that all applicants provide email addresses, go to the Recruiting Installation - Applicants Page and set the Email Address Required field to Yes.
If you have not made applicant email addresses required, you can’t activate the secret question or account lockout options. Conversely, if the secret question or account lockout features is active, you can’t change the Email Address Required field to No.
Even if you make email addresses required for applicants, some older applicant accounts might not have email addresses. If such an account is locked out, the system displays a message instructing the applicant to contact a recruiter. The recruiter can then add the applicant’s email address to the applicant record, making it possible for the applicant to use the Forgot Password option.
Use the Password Controls page (HRS_PSWD_CFG) to define password requirements for applicants.
Navigation
Image: Password Controls page
This example illustrates the Password Controls page.

Password Configuration
| Field or Control | Definition | 
|---|---|
| Enabled | Select this check box to activate the password controls in the Password Configuration section of this page. When you deselect the check box, the current password configuration settings are cleared and the fields become read-only. This check box does not control the Secret Question for Forgot Password settings or the Account Lockout settings. | 
Password Expiration
| Field or Control | Definition | 
|---|---|
| Never Expires | Select this option if you do not want to set a limit on how long users can use a password before it must be reset. | 
| Expires In <number of> Days | Select the Expires In option to set a limit on how long a password can be used, then define the expiration period by entering the number of Days that the password remains valid. | 
Password May Match
| Field or Control | Definition | 
|---|---|
| User Name | Select this check box to allow passwords that are identical to the user name (the logon ID). Passwords must still meet all password strength requirements. | 
| Primary Email | Select this check box to allow passwords that are identical to the user’s primary email. Passwords must still meet all password strength requirements. Because password validation occurs only when a password is resent, users will not be forced to change a password due to a change in the primary email address. | 
Password Strength
| Field or Control | Definition | 
|---|---|
| Minimum Length | Enter the overall minimum number of characters for passwords. This number must be large enough to accommodate any additional requirements for minimum numbers of special characters, digits, lowercase letters, and uppercase letters. | 
| Special Characters | Enter the minimum number of special characters for passwords. The following characters are considered special characters: ! @ # $ % ^ & * ( ) - _ = + \ |[ ] {} ; : / ? . > < | 
| Digits | Enter the minimum number of digits (numbers) for passwords. | 
| Lowercase | Enter the minimum number of lowercase letters for passwords. | 
| Uppercase | Enter the minimum number of uppercase letters for passwords. | 
Secret Question for Forgot Password
| Field or Control | Definition | 
|---|---|
| Enabled | Select this check box to require applicants to answer a secret question when requesting help with a forgotten password. The applicant must answer the question correctly before the system will send a temporary password. When you select this check box, the system verifies that the Recruiting Installation - Applicants Page is configured to require email addresses from applicants. If applicant email addresses are not required, an error message appears, and you cannot save the password settings until you deselect this check box. | 
| Failed Attempts | If you enable a secret question for forgotten passwords, enter the number of incorrect answers that will cause an applicant’s Candidate Gateway account to be locked. This number must be greater than zero. | 
Account Lockout
| Field or Control | Definition | 
|---|---|
| Enabled | Select to activate the account lockout feature, which locks applicants out of their Candidate Gateway accounts after a specified number of failed logon attempts. When you select this check box, the system verifies that the Recruiting Installation - Applicants Page is configured to require email addresses from applicants. If applicant email addresses are not required, an error message appears, and you cannot save the password settings until you deselect this check box. | 
| Failed Attempts | If you enable account lockout, enter the number of failed logon attempts that will cause an applicant’s Candidate Gateway account to be locked. This number must be greater than zero. | 
Use the Forgotten Password Hint page (HRS_FORGT_PSW_HINT) to define questions that can be used to authenticate the identity of a user who requests a password resent using the Forgot Password option.
Navigation
Image: Forgotten Password Hint page
This example illustrates the Forgotten Password Hint page.

| Field or Control | Definition | 
|---|---|
| Active | Select this check box to make the question available to applicants when they choose a secret question. At least one secret question must be active when secret question functionality is active. Deselect this check box to make the question unavailable without deleting it. | 
| Secret Question | Enter the text of the question. | 
| Delete Question | Click this button to delete the question. This is a more permanent action than inactivating a question. Warning! When you click this button, the system deletes the question instantly without asking you to confirm the deletion. | 
Note: Both inactive questions and deleted questions remain available to applicants who previously selected the question. Applicants who are already using an inactive or deleted question are not forced to change their secret question, and they can even continue to change the answer. They don't lose access to the question until they choose (and save) a different question.