How are users I invite protected from unauthorised use of their log-in

When a user is invited to access our software, the email they receive contains details of the person and school that is requesting they join. They are provided with a link which when they click on, sends them to a page where they set a password. At present, that password is required to have 3 of the following contained within a minimum length 10-character password:

  •        Uppercase
  •        Lowercase
  •        Special character
  •        Number

To help reduce the chance of access to unattended machines left logged in, we also insist (unless the option is changed at log in), that an inactive session only remain open for 20 minutes. After this time, it logs out and requires the user to log in once more. We suggest that passwords are updated regularly by users and never shared.