You are here: Administration > User Administration > The central security configuration

The central security configuration

The security configuration pages allow you to change the password security settings for OEDQ users. Alternatively, if possible, you can integrate OEDQ with Active Directory and enable single-sign on.

To change the password security settings:

Select Security Configuration within the Configuration pages.
Update the settings on the page.

The settings on this page are split into two categories, Password Strength, and Accounts Security, which itself encompasses Password Expiry and Unsuccessful Logins.

Password Strength

Several different settings are available to help ensure password strength. These are:

The minimum Password Length;
The minimum number of non-alpha characters that the password must contain;
The minimum number of numeric digits that the password must contain;
The number of previous passwords that will be checked to prevent repetition;
Preventing or allowing the password to be the same as the username.

In addition, a checkbox is provided which enables or disables all the password security checks. If the 'Enforce password strength' checkbox is not checked, none of the other settings will have any effect. This allows password approval to be suspended on a temporary basis without losing all the configuration details.

Custom password strength checking

If you require additional, or more flexible, password strength rules, it is possible to configure a password strength checker in JavaScript.

Note:The rules enforced by the password checker are applied to passwords for 'internal' users only. External passwords are controlled by the policy set on the LDAP server.

To do this, create a directory named pwcheck in the OEDQ configuration area and save a script file called pwcheck.js and a properties file called pwcheck.properties to this directory. Next, navigate to your configuration area directory and add the following line to your security.properties file:

user.pwcheck.scriptfile=pwcheck/pwcheck.js

(If you do not already have a security.properties file, you can add one containing just this line. No other contents are necessary.)

Password Expiry

The password expiry fields in the Account Security section control how long a user's password can remain active before they need to provide a new one.

Settings control:

The number of days a password remains valid (Password expiration days), and
The number of days warning that will be provided to the user before the password expires.

There is also a 'Password never expires' checkbox. Checking this option means that, by default, a password will never become invalid.

Note:It is valid to both check this box and provide a value for 'Password expiration days'. In this case, the default behavior of the core security settings will be that the password does not expire. However, this can be overridden on a per-user basis, in which case the value set for the password expiry days will come into force. See Creating and editing users for more details.

Unsuccessful Logins

The unsuccessful login fields control:

The number of unsuccessful login attempts that will be tolerated for a user, and
The action that will be taken once this limit is exceeded (Invalid attempts).
The action to be taken is a default only. It is possible to override this action on a per-user basis; see Creating and editing users for more details.

Example

The settings shown in the above screenshot enforce password security with a 90-day password expiry policy:

In this example, user passwords:

must be at least 8 characters in length;
must include at least 3 non-alpha characters including at least 1 digit;
must not be the same as the last 3 passwords for the user;
must not be the same as the user name.

In addition:

passwords expire every 90 days;
users will be warned 5 days before password expiry;
if a user makes five unsuccessful login attempts, the user will be blocked for 24 hours. (Blocked users can be unblocked by a user with administration privileges.)