Difference between revisions of "Password Policy"

From LongJump Support Wiki
imported>Aeric
imported>Aeric
m (moved Password Policies to Password Policy over redirect)
(No difference)

Revision as of 21:16, 2 June 2011

Settings > Administration > Password Policy

A Password Policy defines password requirements and login protections.

Permissions

Lock-tiny.gif

Users that have the Access Control/User Management permission can modify the password policies 

Create a New Password Policy

  1. Click Settings > Administration > Password Policy
  2. Click the Edit button, and change any of the fields under Policy Information to create a custom password policy
    Minimum Length
    Minimum numbers of characters in the password; Default: 6 Characters, Range: 6-10 characters
    Required Character Types
    The types of characters and character combinations required for passwords; Default: No Restrictions, Range: See Required Character Types
    Expires In
    The number of days the password remains valid before the user will be prompted to change it; Default: 90 Days, Range: 15, 30, 60, 90, 120 days, Never
    New Password Cannot Match
    Number of previous passwords; Default: Last Password, Range: Last 2-5 passwords
    Minimum Age
    Frequency that a user can change the password; Specifies the number of days that must pass before a user can change passwords; Default: No Minimum, Range: 1-5 Days
    Inactive Session Timeout
    The length of time an application will remain active with no user activity; The application will become inactive and the user will need to log on again when the timeout is achieved; Default: 90 Minutes, Range: 15, 30, 60, 90, 120 minutes
    Account Lockout Threshold
    The number of login attempts before the account is locked out; Default: 5 tries, Choices: 3-10 tries, No Limit
    Learn more: Login Limit
    Account Lockout Duration
    The length of time that an account is locked out; Default: 15 minutes, Choices: 5, 10, 15, 30, or 60 minutes, Disable
    Users Excluded from Password Expiration
    A list of users who do not have to update their password; This might include users with Administration privileges; Default: No Users
  3. Click [Save]; For audit purposes, the following information is also displayed:
    Last Modified By <username> {date}
    Created By <username> {date}

About Login Limit

The Login Limit defines the number of failed attempts allowed before a user account is disabled or locked for a specified time. When a user attempts to login and fails (because of an incorrect password), each attempt counts against the Login Limit. When the Login Limit is achieved, the account is disabled or locked for a specified time, according to the parameters set in in the Account Lockout Duration field. The Login Limit is defined in Password Policies.

Lock-tiny.gif

Users that have the Manage Company Capabilities permission can :
  • Enable and specify the Login Limit
  • Track all invalid login attempts in the Audit Logs
  • Reactivate the locked/disabled user account 

To specify the Login Limit:

  1. Click Settings > Administration > Password Policies
  2. Click the [Edit] button
  3. Choose an option in the Account Lockout Threshold field from this list of options:
  • No Limit
  • 3 failed tries
  • 4 failed tries
  • 5 failed tries (default)
  • 6 failed tries
  • 7 failed tries
  • 8 failed tries
  • 9 failed tries
  • 10 failed tries

To track all Invalid Login Attempts, see the Audit Log.


Reactivation

To reactivate a locked or disabled user account:

  1. Click Settings > Administration > User
  2. Select the user account of interest
  3. Click the [Edit] button
  4. Click the Active checkbox Checkboxicon.gif icon
  5. Click [Save]

Users Excluded from Password Expiration

By default, no user is exempt from the Password Policy, although it is possible to specify that a User be Excluded from the Password Expiration Policy.

Required Character Types

This option defines the level of security for passwords, which can be simple and allow any character combination, or very secure, requiring Upper and lower case characters, as well as special characters.

Option Example Passwords Description
No Restrictions

This is a low security option and allows any characters to be selected from a defined set

These passwords are considered to be the same in this policy:

tH1sisMYPA$$worD
th1sismypa$$word
TH1SISMYPA$$WORD
Characters in any of the following sets are allowed:
- Upper case (A-Z)
- lower case (a-z)
- number (0-9)
- special character @ # $ %
Alphanumeric characters

This is also a low security option - it allows most characters, and requires some characters from a defined set

These passwords are not the same, and each can be used in this policy:

tH1sisMYPA55worD
th1sismypa55word
TH1SISMYPA55WORD
th1sismypa$$word
Requires at least one character from each of the following sets:

- Upper case (A-Z) or lower case (a-z)

- number (0-9)

Allowed:

- special character @ # $ %

Alphanumeric characters

Requires at least one Upper case character

This is a reasonable level of security for most organizations.

These passwords are not the same, and each can be used in this policy:

th1sisMYPA55worD
TH1SISMYPA55WORD

This password does not meet the requirement because it is missing an Upper case character:

th1sismypa55word
Requires at least one character from each of the following sets:

- Upper case (A-Z)

- number (0-9)

Allowed:

- lower case (a-z)

Alphanumeric characters

Including special characters # $ % @

The addition of special characters adds an additional degree of complexity to password security.

Any of these passwords can be used in this policy:

th1sisMYPA$$worD
th1sismypa$$word
TH1SISMYPA$$WORD

This password does not meet the requirement because it is missing a number and a special character:

thisismypassword
Requires at least one character from each of the following sets:

- Upper case (A-Z) or lower case (a-z)

- number (0-9)

- special character @ # $ %

Alphanumeric characters

Requires at least one Upper case character
Including special characters # $ % @

The addition of special characters and the upper/lower case requirement adds a high degree of complexity to password security.

These passwords are not the same, and each can be used in this policy:

th1sisMYPA$$worD
TH1SISMYPA$$WORD

This password does not meet the requirement because it is missing an Upper case character:

th1sismypa$$word

This password does not meet the requirement because it is missing a number and a special character:

ThisIsMyPassword
Requires at least one character from each of the following sets:

- Upper case (A-Z)

- number (0-9)

- special character @ # $ %

Allowed:

- lower case (a-z)