Skip to content

Security policies

Administrators can set the password policy for users of the system.

Administration > User Administration > Security Policy will take you to the Security Policy page, which shows the current password and account lockout policies and allows them to be modified.

Password Policy

Password policy values are arranged from least to most secure, with the most secure options at the bottom of the value list.

Table 1: Password policy settings

Policy Description
Minimum password strength required How strong a password must be to be accepted by a password creation field.

Options include: weak, fair, good, strong, and very strong.

The strength of a password is calculated with an algorithm that takes into consideration the length, type of characters used, how frequently they are repeated, and capitalization. A password with fewer characters but more variety in those characters may rate stronger than a password with many characters of one type.
Password expiry How frequently user passwords will expire and need to be reset.

Options include: never, one month, two months, six months, and one year.
Prevent password reuse Specifies whether passwords can be reused and how many passwords back the system checks for reuse. E.g. selecting "Last 3" would allow users to reuse a password as long as that password was not one of the last three that they used.

Options include: never, last 3, last 5, last 10, and last 20.

Modifying a password policy

  1. Navigate to Administration > User Administration > Password Policy
  2. Click the link associated with the policy setting
  3. Select a new value
  4. Click Save

Account Lockout Policy

Account lockout policies determine how to handle multiple failed login attempts by a user of the system.

Table 2: Account lockout policy settings

Policy Description
Maximum failed login attempts before locking The number of times a user can enter an incorrect password before their account is temporarily locked out of the system.

Options include: never, three, five, and ten.
Failure reset interval (seconds) How many seconds before the failure count is reset. Default is 600 seconds.
Account lockout duration (seconds) How many seconds before the account is unlocked. Default is 600 seconds.

Modifying an account lockout policy

  1. Navigate to Administration > User Administration > Security Policy
  2. Click the link associated with the policy setting
  3. Select a new value
  4. Click Save

Note

Failure reset interval and account lockout duration settings only appear if the maximum failed login attempts before locking is not set to "never".