Password Policy

Last updated: 11 February 2026Effective: 11 February 2026

This Password Policy defines the requirements for creating and managing passwords for all Ignition DigitalAI accounts, including the client portal and admin portal. It is designed to protect your account and our systems from unauthorised access.

This policy applies to all users with an Ignition DigitalAI account. By creating or using an account, you agree to follow these requirements.

1. Password Requirements

Minimum standards

Your password must meet all of the following criteria:

Minimum 12 characters in length
At least one uppercase letter (A-Z)
At least one lowercase letter (a-z)
At least one number (0-9)
At least one special character (e.g. !@#$%^&*)

Prohibited passwords

The following types of passwords are not permitted:

Common dictionary words or phrases
Sequential patterns (e.g. abc123, 123456)
Keyboard patterns (e.g. qwerty, asdfgh)
Repeated characters (e.g. aaa111, xxxxxx)
Passwords containing your name, email address, or company name
Passwords known to have appeared in public data breaches

2. Password Management

We strongly recommend the following best practices for managing your password:

Use a password manager (e.g. 1Password, Bitwarden, or your browser's built-in manager) to generate and store strong, unique passwords
Do not reuse your Ignition DigitalAI password on other websites or services
Never share your password with anyone, including Ignition DigitalAI staff — we will never ask for your password
Do not store passwords in plain text (e.g. sticky notes, unencrypted text files, or email)
Do not send passwords via email, SMS, or unencrypted messaging

3. Password Changes

When to change your password

You should change your password immediately if:

You believe your password has been compromised
You notice suspicious activity on your account
You are requested to do so by an administrator
Your account has been inactive for more than 365 days (you will be prompted)

How to change your password

Navigate to your account settings in the client portal or admin portal
A confirmation email will be sent to verify the change
You cannot reuse any of your last 5 passwords

4. Multi-Factor Authentication (MFA)

Multi-factor authentication adds an extra layer of security by requiring a second verification step in addition to your password.

MFA is available for all accounts and strongly recommended for all users
MFA is mandatory for admin accounts
Supported method: Time-based one-time password (TOTP) via an authenticator app (e.g. Google Authenticator, Authy, 1Password)

Setup

Enable MFA in your account settings
Scan the QR code with your authenticator app
Store your recovery codes securely — these are needed if you lose access to your authenticator device

Recovery

If you lose your authenticator device, use your recovery codes to sign in
If you have lost both your device and recovery codes, contact support at https://ignitiondigitalai.com/contact — identity verification will be required

5. Account Lockout

To protect against brute-force attacks, accounts are temporarily locked after repeated failed login attempts:

After several failed attempts → 15-minute lockout
After several more failed attempts → 1-hour lockout
Repeated lockouts may trigger an account review by our security team, and we may temporarily suspend your account. If you believe your account has been locked out in error, contact us and we will investigate.

Accounts are automatically unlocked after the lockout period. If you need immediate access, contact support with identity verification.

6. Password Reset

If you forget your password:

Click "Forgot password?" on the login page
Enter your registered email address
A password reset link will be sent to your email (valid for 1 hour, single use)
Follow the link to set a new password that meets the requirements above
All active sessions will be terminated upon password reset

Security notes

We will never ask for your password via email, phone, or any other channel
Password reset links are single-use and expire after 1 hour
Suspicious reset attempts are logged and may trigger an account lock

7. Session Management

Client portal: Sessions time out after hours of inactivity
Admin portal: Sessions time out after a short period of inactivity
Sessions are invalidated when you change or reset your password
You can sign out of all devices from your account settings
You cannot use a shared or public device to access the client portal or admin portal. Signout immediately if you have.

8. Compromised Passwords

If you believe your password has been compromised:

Change your password immediately via account settings or the password reset flow
Review your account activity for any unauthorised actions
Contact us at https://ignitiondigitalai.com/contact if you notice suspicious activity
Enable MFA if you have not already done so

We will investigate reported compromises and take appropriate action to secure your account.

9. Admin Accounts

Admin accounts have elevated access to client data and system settings. The following additional requirements apply:

MFA is mandatory (must be enabled before first use)
Minimum 16-character password recommended
Cannot reuse the last 10 passwords
Access is monitored and reviewed regularly
Must use secure, company-approved devices and networks

10. Compliance

This Password Policy is informed by and aligned with:

NIST Special Publication 800-63B — Digital Identity Guidelines (Authentication)
OWASP Authentication Guidelines — best practices for secure authentication
Australian Signals Directorate (ASD) — standards for secure systems
Australian Cyber Security Centre (ACSC) Essential Eight — multi-factor authentication best practices

If you have questions about this policy, contact us at https://ignitiondigitalai.com/contact.