Password policy settings
The password policy settings belong to the server-side settings; therefore, they can be done through the License management (Server) screen:
- Default settings of the application instances
- Password policy
- Application instances
We differentiate between two versions in the password policy management (according to the motor version). The 5.3 motor version manages the 1.0 password policy, while the 2.0 password policy belongs to the 5.4 motor version.
The earlier 1.0 and the new 2.0 versions exist concurrently.
When upgrading the motor version, the issue of the management of the two versions emerges, so we discuss in detail the settings of these versions.
The choice between versions is left to the administrator.
As a general rule, because of the backwards compatibility, the newer (2.0) version manages the settings of version 1.0. If the password policy according to version 2.0 gets set, the previous settings will no longer be valid, the values registered in version 1.0 will be disregarded.
Version 2.0 password policy is set, if the password policy profile gets assigned to the application instance (on the Application instances screen of the MinorMenu of the License Server) or to the user group (on the Groups screen).
The password policy profile can be set through the password policy screen.
In version 1.0 of the password policy, the settings can only be made on the level of the application instance, while in version 2.0, it can be done on user group level as well.
Password policy 1.0
In the case of version 1.0, the following settings are provided by the Effector through the Default settings of the application instances (for every application) and the Application instance screens.
- PasswordPolicy_AlphaUpperCaseMinCount: Minimum number of capital letters in the password. Integer number, for example 2
- PasswordPolicy_BanTimeout: The length of the ban of banned users given in minutes. Integer number, for example 20
- PasswordPolicy_ChangeAfterFirstLogin: whether the user has to change the password upon the first login. (false/true (that it has to be changed))
- PasswordPolicy_ChangeInterval: The number of days after which the user has to change his password. Integer number, for example 30
- PasswordPolicy_MaxLength: Maximum length of the password. Integer number, default value: 100
- PasswordPolicy_MaxRetryCount: maximum number of failed logins, after which the user is banned by the system. Integer number, for example 3
- PasswordPolicy_MinLength: Minimum length of the password. Integer number, default value: 1
- PasswordPolicy_NumericMinCount: Minimum number of numbers in the password. Integer number, for example 2
- PasswordPolicy_PasswordRepeatingProhibited: The number of previous passwords (N) remembered which cannot be used again by the user. Integer number, for example: 5
- PasswordPolicy_UserIdleTimeout: Maximum time in minutes that can be spend being idle. Integer number, for example 5.
Password policy 2.0
On the _License management (Software) MinorMenu_PasswordPolicy screen we have the possibility to make a password policy profile encompassing application instances or groups.
Save for some additional information, the settings are the same as in the case of password policy 1.0:
- Name: The name of the password policy, mandatory field
- Security level: integer value, mandatory field
- Min length of the password: PasswordPolicy_MinLenght
- Max length of the password: PasswordPolicy_MaxLenght
- Minimal number of capital letters: PasswordPolicy_AlphaUpperCaseMinCount
- Minimal number of numbers : PasswordPolicy_BanTimeout
- Max number of login attempts PasswordPolicy_MaxRetryCount
- Banning time : PasswordPolicy_BanTimeout
- Time that can be spent idle: PasswordPolicy_UserIdleTimeout
- **Interval for password change: PasswordPolicy_ChangeInterval
- Password to be changed after first login:PasswordPolicy_ChangeAfterFirstLogin
- Cannot be the last n passwords: PasswordPolicy_PasswordRepeatingProhibited
- One Time Password: Allowing or barring two-factor authentication
The higher the value of the security level, the higher reliability it indicates.
Multiple password policies can be created in the system. Accordingly, different profile can be set for different application instances or groups.
If multiple password policies apply to a user (because he is in multiple groups or because he accesses multiple application instances), the profile with the highest security level applies to him.
Assigning a password policy profile to a group
The created profile can be assigned to a group on the License manager (server) MinorMenu Groups screen. We need to click on the group’s name, and the following screen will pop up:
The profile has to be chosen and the assignment needs to be saved in the “Password policy” field. The password policy profile assigned to a group overwrites the one assigned to an application instance.
Assigning a password policy profile to an application instance
The created profile can be assigned to the chosen system on the License manager (Server) MinorMenu application instances screen. For this, we have to select the card of the given application instance (on the left-hand side) then assign the corresponding profile on the right-hand side panel’s “password policy” field, then save.