Password management and complexity

Context

To strengthen the security of your application, it is possible to define a password complexity policy. This configuration is global and applies to all users.

Prerequisites

Prerequisites

• System administration rights
• Access to authentication settings
• Understanding of organization security policies

Access

Settings accessible via Settings > Authentication.

Password complexity

You can enforce strict rules on internal passwords (Origin: "Application"):

Length

• Minimum: By default set to 1 character, but recommended at 8 or more. The entered value must be at least equal to the sum of other activated complexity criteria.
• Maximum: The technical limit is very high, but it must be greater than or equal to the minimum length.

Composition

Require a specific quota of:

• Uppercase letters: Minimum number of capital letters.
• Lowercase letters: Minimum number of lowercase letters.
• Numbers: Minimum number of digits.
• Special characters: Minimum number of non-alphanumeric characters (!, @, #, etc.).

Username

Prohibition of including the login in the password for increased security.

Expiration and History

• Expiration: Number of days before mandatory renewal.
• History: Prevents reuse of the last X passwords used.
• Lockout: Number of attempts allowed before automatic account lockout (requires admin action to unlock the account).

Available rules

The system allows enforcing the following constraints via the Authentication.Form.PasswordPolicy configuration key:

• Minimum length: Minimum number of characters (e.g.: 8).
• Maximum length: Maximum number of characters.
• Required characters:
  • Uppercase letters: Minimum number of capital letters.
  • Lowercase letters: Minimum number of lowercase letters.
  • Numbers: Minimum number of digits.
  • Special characters: Minimum number of non-alphanumeric characters (e.g.: ! @ # $).
• Additional controls:
  • Must not contain username: Prevents using one's own name/login as password.
  • Password history: Prohibits reuse of the last X passwords.

Note

This configuration is typically managed by the system administrator or through a specific configuration panel in the administration interface.

Administrative password management

As an administrator, you can manage user passwords through several tools.

Reset from user profile

• "Application" mode: You can manually reset the password from the user profile.
• "Network" mode (AD): Management is externalized, the field is grayed out.

AdminTools Tool

Access: Menu Tools > AdminTools > Select Password from the dropdown list.

• Usage: Unlocking a user account that has forgotten their password
• Security: Action tracked in audit logs

Related articles

• Create and manage users
• Active Directory synchronization
• Mixed and LDAP authentication
• Manage permissions