Maximize reset password SMS pause window duration

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Manage the time duration in minutes that a user must wait before they can request a new password reset code.

    If the password_reset.sms.pause_window system property is not set to the recommended value of 2 minutes or greater, then a malicious user could initiate many password reset SMS codes in a brief window of time.

    Ensure that the property password_reset.sms.pause_window is set to 2 or greater.

    More information

    Attribute Description
    Configuration name password_reset.sms.pause_window
    Configuration type System Properties (/sys_properties_list.do)
    Data type Integer
    Recommended value 2
    Default value 2
    Category Authentication
    Security risk
    • Severity score: 4.8
    • CVSS score: Medium
    • Security risk details: This increases the attacker's likelihood of predicting the SMS reset code.
    Dependencies and prerequisites None