TestPlanIt
diff --git a/‎docs/blog/2026-04-17-password-policy-security-hardening.md‎
Lines changed: 63 additions & 0 deletions b/‎docs/blog/2026-04-17-password-policy-security-hardening.md‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎docs/blog/tags.yml‎
Lines changed: 5 additions & 0 deletions b/‎docs/blog/tags.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/docs/features.md‎
Lines changed: 4 additions & 0 deletions b/‎docs/docs/features.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs/docs/user-guide/audit-logs.md‎
Lines changed: 10 additions & 0 deletions b/‎docs/docs/user-guide/audit-logs.md‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎docs/docs/user-guide/security-settings.md‎
Lines changed: 102 additions & 0 deletions b/‎docs/docs/user-guide/security-settings.md‎
Lines changed: 102 additions & 0 deletions
diff --git a/‎docs/docs/user-guide/users.md‎
Lines changed: 3 additions & 3 deletions b/‎docs/docs/user-guide/users.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎docs/sidebars.ts‎
Lines changed: 1 addition & 0 deletions b/‎docs/sidebars.ts‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,63 @@
+---
+slug: password-policy-security-hardening
+title: "Password Policy & Security Hardening"
+description: "TestPlanIt v0.22.0 adds a dedicated Security admin page with configurable password policies, account lockout, forced password changes, password revocation, and a real-time password strength indicator."
+authors: [bdermanouelian]
+tags: [release, announcement, security]
+---
+
+TestPlanIt v0.22.0 introduces a dedicated **Security** page in the admin panel, giving administrators full control over password policy, account lockout rules, and enforcement actions — plus a real-time password strength indicator for end users.
+
+<!-- truncate -->
+
+## Why a Security Page?
+
+Until now, password requirements were limited to a minimum length check during signup. There was no way to enforce character complexity, prevent password reuse, expire old passwords, or lock out accounts after failed login attempts.
+
+For teams managing sensitive test data — especially those working toward SOC 2 or ISO 27001 compliance — these are table-stakes controls. v0.22.0 fills that gap with a single admin page that covers the full lifecycle of password security.
+
+## What's New
+
+### Configurable Password Policy
+
+Navigate to **Admin → Security** to configure:
+
+- **Minimum password length** (8–128 characters)
+- **Character requirements** — uppercase, lowercase, numbers, and custom special characters
+- **Password history** — prevent reuse of the last N passwords (up to 24)
+- **Password expiration** — force password changes after a configurable number of days (up to 365)
+
+All settings use slider controls for quick adjustment, with the current value displayed alongside each slider.
+
+### Account Lockout
+
+Protect against brute-force attacks with configurable lockout rules:
+
+- **Lockout threshold** — lock accounts after 1–20 consecutive failed attempts
+- **Lockout duration** — keep accounts locked for 1–60 minutes
+
+### Enforcement Actions
+
+Sometimes you need to act immediately — after a security incident, a compliance audit, or when offboarding a user from credential-based access.
+
+- **Force Password Change** — require an individual user or all internal users to set a new password on their next login. Available from the user table's three-dot menu and as a bulk action on the Security page.
+- **Revoke Password** — remove a user's password entirely, limiting them to SSO or Magic Link authentication. Useful for transitioning users away from password-based login.
+
+Both actions include confirmation dialogs, guard against self-lockout (you can't force-change or revoke your own password), and are fully audit-logged.
+
+### Password Strength Indicator
+
+Every password form — signup, change password, and forced password change — now displays a real-time strength indicator:
+
+- A **four-level strength bar** (Weak, Fair, Strong, Very Strong) powered by [zxcvbn](https://github.com/zxcvbn-ts/zxcvbn), which evaluates password strength using pattern matching and entropy estimation rather than simple rule checks
+- A **policy checklist** that shows which requirements are met as the user types
+
+This gives users immediate, actionable feedback before they submit — reducing failed submissions and encouraging stronger passwords.
+
+## Server-Side Enforcement
+
+All policy checks are enforced server-side, not just in the UI. The password validation pipeline runs on every password change endpoint, checking minimum length, character classes, special characters, and password history. Slider ranges in the UI match the server-side validation bounds, so there's no mismatch between what the admin configures and what the server enforces.
+
+## Try It Out
+
+Upgrade to v0.22.0 and navigate to **Admin → Security** to configure your password policy. See the [Security Settings documentation](/docs/user-guide/security-settings) for a full walkthrough of every setting.
@@ -42,3 +42,8 @@ test-management:
   label: Test Management
   description: Posts about test case management strategies and approaches
   permalink: /test-management
+
+security:
+  label: Security
+  description: Posts about security features, authentication, and access control
+  permalink: /security
@@ -120,6 +120,10 @@ TestPlanIt is a comprehensive test management platform designed to help teams pl
 
 ### Security & Compliance
 
+- **Password policy** - Configure minimum length, character requirements, history depth, and expiration
+- **Account lockout** - Protect against brute-force attacks with configurable threshold and duration
+- **Password enforcement** - Force password changes (individual or bulk) and revoke passwords
+- **Password strength indicator** - Real-time zxcvbn-powered feedback on signup and password change forms
 - **Audit logs** - Track all changes for compliance and security review
 - **Two-factor authentication** - Add an extra layer of security for user accounts
 - **Data encryption** - Secure data at rest and in transit
 
@@ -67,6 +67,16 @@ Only users with administrative privileges can access the audit log viewer.
 | `API_KEY_REVOKED` | An API token was revoked by an administrator |
 | `API_KEY_REGENERATED` | An API token was regenerated |
 
+### Security Administration
+
+| Action | Description |
+|--------|-------------|
+| `PASSWORD_POLICY_CHANGED` | Password policy or lockout settings were modified |
+| `FORCE_PASSWORD_CHANGE` | User(s) required to change password on next login (individual or bulk) |
+| `PASSWORD_REVOKED` | A user's password was removed by an administrator |
+| `ACCOUNT_LOCKED` | Account locked after exceeding failed login threshold |
+| `ACCOUNT_UNLOCKED` | Account unlocked after lockout duration expired |
+
 ### System Configuration
 
 | Action | Description |
 
@@ -0,0 +1,102 @@
+---
+sidebar_label: 'Security Settings'
+title: Security Settings
+description: Configure password policy, account lockout, and enforcement actions
+---
+
+# Security Settings
+
+The Security page provides centralized control over password policy, account lockout rules, and enforcement actions. Only administrators (`ADMIN` access level) can access this page.
+
+To access Security Settings, navigate to **Admin → Security** from the left-hand navigation menu.
+
+## Password Policy
+
+Password policy settings define the minimum requirements for all user passwords. These rules are enforced when users sign up, change their password, or are forced to set a new password.
+
+### Minimum Password Length
+
+Set the minimum number of characters required for passwords. Configurable from **8** to **128** characters. The default is **12**.
+
+### Character Requirements
+
+Toggle individual character class requirements:
+
+- **Require Uppercase** — At least one uppercase letter (A–Z)
+- **Require Lowercase** — At least one lowercase letter (a–z)
+- **Require Numbers** — At least one digit (0–9)
+- **Required Special Characters** — Specify a set of characters that passwords must include at least one of (e.g., `!@#$%^&*`). Leave empty to disable this requirement.
+
+### Password History
+
+Set the **Password History Depth** (0–24) to prevent users from reusing recent passwords. A value of `5` means the last 5 passwords are remembered and cannot be reused. Set to `0` to disable history checks.
+
+### Password Expiration
+
+Set the **Password Expiration Days** (0–365) to require users to change their password periodically. When a password expires, the user is redirected to the forced password change page on their next login. Set to `0` to disable expiration.
+
+Password expiration only applies to users with credential-based authentication (INTERNAL or BOTH auth methods). SSO-only users are not affected.
+
+## Account Lockout Policy
+
+Lockout settings protect against brute-force login attempts by temporarily locking accounts after repeated failures.
+
+### Lockout Threshold
+
+The number of consecutive failed login attempts before the account is locked. Configurable from **1** to **20** attempts. The default is **5**.
+
+### Lockout Duration
+
+How long (in minutes) an account remains locked after exceeding the threshold. Configurable from **1** to **60** minutes. The default is **15**.
+
+After the lockout duration expires, the user can attempt to log in again. Successful login resets the failed attempt counter.
+
+## Enforcement Actions
+
+### Force Password Change (Individual)
+
+From the **Admin → User Management** page, click the three-dot menu on any internal user and select **Force Password Change**. This sets a flag on the user's account that requires them to set a new password on their next login.
+
+- Only available for users with INTERNAL or BOTH authentication methods (not SSO-only users)
+- Not available for your own account (to prevent self-lockout)
+- The user sees a dedicated password change page before they can access any other part of the application
+
+### Force All Users to Change Password
+
+On the Security page, click **Force All Users to Change Password** to require every active internal user to change their password on next login. A confirmation dialog shows the number of affected users before proceeding.
+
+This targets users with INTERNAL or BOTH auth methods who are active and not already flagged for a password change.
+
+### Revoke Password
+
+From the **Admin → User Management** page, click the three-dot menu on any internal user and select **Revoke Password**. This removes the user's password entirely, requiring them to use an alternative login method (SSO or Magic Link).
+
+**Prerequisites:** At least one passwordless login method must be configured before passwords can be revoked:
+- A Magic Link SSO provider is enabled, **or**
+- An email server is configured for Magic Link delivery
+
+If no passwordless login method is available, the revoke action is blocked with an error message.
+
+- Not available for your own account
+- Not available for users who don't have a password set
+
+## Password Strength Indicator
+
+When users set or change their password (on the signup page, profile change password modal, or forced password change page), a real-time **Password Strength Indicator** is displayed. This shows:
+
+- A **strength bar** with four levels (Weak, Fair, Strong, Very Strong) powered by the zxcvbn algorithm, which evaluates password strength beyond simple rule checks
+- A **policy checklist** showing which requirements are met or unmet based on the current password policy
+
+The strength indicator updates as the user types, providing immediate feedback before form submission.
+
+## Saving Changes
+
+After adjusting any settings on the Security page, click **Save Changes** at the bottom of the page. A success notification confirms that the settings have been saved. All changes take effect immediately for subsequent login attempts and password changes.
+
+## Audit Logging
+
+All security-related actions are recorded in the [Audit Log](/docs/user-guide/audit-logs):
+
+- **PASSWORD_POLICY_CHANGED** — When any password policy or lockout setting is modified
+- **FORCE_PASSWORD_CHANGE** — When an individual or bulk forced password change is triggered
+- **PASSWORD_REVOKED** — When a user's password is revoked
@@ -28,7 +28,7 @@ The main view displays a table of all registered users (excluding those marked a
   - **API Access**: (Hidden by default) A switch indicating if the user can access the API.
   - **Created At**: Date the user account was created.
   - **Created By**: (Hidden by default) The user who created this account (or "Self-Registration").
-  - **Actions**: Buttons to **Edit** or **Delete** the user. (Cannot delete your own account).
+  - **Actions**: A three-dot menu with **Edit**, **Force Password Change**, **Revoke Password**, and **Delete** options. Password actions are only shown for internal/both auth method users and are hidden for your own account. Delete is also hidden for your own account.
 
 ## Adding a New User
 
@@ -49,7 +49,7 @@ The main view displays a table of all registered users (excluding those marked a
 ## Editing an Existing User
 
 1. Locate the user you wish to modify in the table.
-2. Click the **Edit** (pencil) icon in the **Actions** column for that user.
+2. Click the three-dot menu in the **Actions** column and select **Edit**.
 3. A modal dialog will appear. You can modify:
     - Name
     - Email
@@ -71,6 +71,6 @@ You cannot delete your own user account.
 :::
 
 1. Locate the user you wish to delete in the table.
-2. Click the **Delete** (trash can) icon in the **Actions** column.
+2. Click the three-dot menu in the **Actions** column and select **Delete**.
 3. A confirmation dialog will appear, warning that the action cannot be undone.
 4. Click **Confirm Delete**.
@@ -107,6 +107,7 @@ const sidebars: SidebarsConfig = {
             },
             'user-guide/prompt-configurations', // AI prompt configuration management
             'user-guide/sso', // Authentication configuration and management
+            'user-guide/security-settings', // Password policy, lockout, and enforcement
             'user-guide/audit-logs', // Audit logs for compliance and security
             // Add other admin pages here as they are created
           ],