About Veracode Platform passwords
The Veracode Platform protects your data in numerous ways. One of the most important ways is by securing your login so that it is not vulnerable to password guessing or brute force attack. Veracode does this by:
- Enforcing minimum password complexity rules
- Password expiration
- Enforcing a user account lockout after five failed login attempts
- Offering optional multifactor authentication
Password complexity
Your Veracode Platform password must meet these criteria:
- Contains at least eight characters
- Contains at most 72 characters
- Includes at least one lowercase letter, uppercase letter, number, and symbol
- Does not include your first or last name
- Does not repeat any of your last five passwords
If you forget your password, select Need help signing in? > Forgot password? and follow the instructions for resetting a forgotten password.
Password expiration
You must change your password every 90 days. If your password expires, the Sign in page in the Veracode Platform prompts you to change it.
Security question answers
You must set up a security question and answer pair when you activate your account. Answers are not case-sensitive.
User lockout after five failed login attempts
You can reset your password at any time. Veracode automatically locks your account for 30 minutes after five failed attempts to enter a correct password. This lockout protects your account from brute-force attacks.
If your account becomes locked out, Veracode notifies you in an email.
Optional multifactor authentication
Your account might require multifactor authentication (MFA) for enhanced security. The Veracode Platform supports two standards for MFA:
- TOTP: to use time-based one-time password (TOTP) authentication, you must open a TOTP application, such as Google Authenticator, on your mobile device to generate a six-digit code.
- FIDO2/WebAuthn: to use FIDO2 / WebAuthn authentication, you must have a FIDO2-compliant hardware security key, such as a YubiKey or Titan Security Key or a biometric authenticator such as Windows Hello or Touch ID.
For human user accounts, we recommend using SSO instead of API credentials, especially when onboarding new users. With SSO configured in your organization, your development teams can securely sign in to Veracode (using OAuth) from within their IDEs and the Veracode CLI using an email address. They won’t need to create or maintain API credentials or an API credentials file.
For automated integrations, such as scripts, CI/CD plugins, or APIs that don’t require human interaction, the best practice is to use non-human API service accounts with API credentials. To use SSO in your organization, contact Veracode Technical Support to enable JIT provisioning configured for SP-initiated authentication.
Inactivity logout
The Veracode Platform automatically ends your session and logs you out after a period of 15 minutes with no activity.