Zenovay enforces a single, strong password standard for every account. There is no per-organization "password policy" panel to configure inside Zenovay. If your organization needs to enforce its own password rules (length, complexity, rotation, history, lockout), the supported path is to bring your own identity provider through SSO, so your IdP owns the password policy and Zenovay defers to it.
The built-in password standard
Every Zenovay password must meet these requirements. They apply at sign-up and whenever a password is changed or reset:
- At least 12 characters
- At least one lowercase letter
- At least one uppercase letter
- At least one number
These rules are fixed and cannot be relaxed or extended from inside the product. Passwords are never stored in plain text.
Info
Zenovay does not currently offer in-product controls for password expiration, password history, minimum password age, or a configurable account-lockout threshold. To enforce those policies, use SSO (see below).
Protection against brute-force attempts
Sign-in and other sensitive auth endpoints are rate-limited per IP to slow down credential-stuffing and brute-force attempts. This is automatic, applies to all accounts, and is not something you configure. There is no separate per-user "lockout duration" or admin-unlock workflow to manage.
Enforce your own policy with SSO
For organizations that need a specific password policy (for example a compliance requirement around length, rotation, or reuse), connect your identity provider with Single Sign-On. When SSO is enabled and enforced for your team:
- Users authenticate through your IdP (Okta, Azure AD / Entra ID, Google Workspace, OneLogin, or any SAML/OIDC provider).
- Your IdP enforces the password policy — length, complexity, expiration, history, and lockout are all defined and applied there, not in Zenovay.
- You can require MFA at the IdP level as well.
This is the recommended approach for any regulated or security-sensitive deployment, because your existing identity governance and audit tooling stays the source of truth.
Open SSO settings
Go to Settings → Security (the SSO section). SSO is available on the Scale and Enterprise plans.
Connect your identity provider
Configure SAML or OIDC with your provider. See SAML configuration or OAuth / OIDC setup for the exact steps.
Enforce SSO for your team
Once verified, require SSO so members sign in through your IdP. Your IdP's password policy now governs every login.
Where to manage your own password
Individual passwords are managed per user, not at the team level:
- Go to Settings → Account → Security & access.
- In the password section, request a change. Zenovay sends a reset link to your account email, so there's no in-app form and you don't re-enter your current password.
- Open the link and set a new password. The same
12+ characters with upper, lower, and a numberrequirement applies.
If you've forgotten your password, use the reset flow on the sign-in screen instead. See Resetting your password.
Add a second factor
A password policy alone isn't enough for sensitive accounts. Zenovay supports multi-factor authentication (TOTP authenticator apps, passkeys / WebAuthn, and backup codes), and Enterprise teams can require it. See Enforcing MFA.
Troubleshooting
My new password is rejected
Make sure it has at least 12 characters and includes a lowercase letter, an uppercase letter, and a number. Very common passwords may also be rejected.
I want to require rotation or a longer minimum for my team
That isn't available as a Zenovay setting. Enforce it through your identity provider with SSO, as described above.
A team member is locked out
There's no manual per-user lockout to clear. If sign-in is being throttled by rate limiting, it clears on its own after a short period. If a member can't get in at all, have them reset their password, or — if you use SSO — check their status in your identity provider.