The user-account security settings control the password complexity, account lockout, and web session inactivity timeout. You can change the values of the settings.
Procedure
Complete the following steps to override the user-account security settings that are in place.
Security setting | Description | Allowed values | Default values |
---|---|---|---|
Password expiration period | Amount of time, in days,
that a user can use a password before it must be changed. Smaller
values reduce the amount of time for attackers to guess passwords If set to 0, passwords never expire. Note: This setting applies only when the user accounts
are managed using the local authentication server. They are not used
when the external authentication server is used.
|
0 – 365 | 90 |
Password expiration warning period | Amount of time, in
days, before the password expiration date that users begin to receive
warnings about the impending expiration of the user password If set to 0, users are never warned. Note: This setting applies only when the user
accounts are managed using the local authentication server. They are
not used when the external authentication server is used.
|
0 – maximum password expiration setting | 5 |
Minimum password reuse cycle | Minimum number of times
that a user must enter a unique password when changing the password
before the user can start to reuse passwords If set to 0, users can reuse passwords immediately. |
0 – 10 | 5 |
Minimum password change interval | Minimum amount of time,
in hours, that must elapse before a user can change a password again
after it was previously changed. The value specified for this setting
cannot exceed the value specified for the password expiration period. If set to 0, users can change passwords immediately. |
0 – 1440 | 24 |
Maximum number of login failures | Maximum number of times
that a user can attempt to log in with an incorrect password before
the user account is locked out. The number specified for the lockout
period after maximum login failures determines how long the user account
is locked out. Accounts that are locked cannot be used to gain access
to the system even if a valid password is provided. If set to 0, accounts are never locked. The failed login counter is reset to zero after a successful login. |
0 – 100 | 20 |
Lockout period after maximum login failures | Minimum amount of time,
in minutes, that must pass before a user that was locked out can attempt
to log back in again If set to 0, the account remains locked until an administrator explicitly unlocks it. A setting of 0 might make your system more exposed to serious denial of service attacks, where deliberate failed login attempts can leave accounts permanently locked. Tip: Any user with the role of Supervisor
can unlock a user account. For more information, see Unlocking a user.
Note: This
setting applies only when the user accounts are managed using the
local authentication server. They are not used when the external authentication
server is used.
|
0 – 2880 | 60 |
Web inactivity session timeout | Amount of time, in minutes,
that a user session that is established with XClarity Administrator can be inactive before the user is logged out If set to 0, the web session never expires. Note: When changing this value, only user sessions
that start after the setting is changed are affected.
|
0 – 1440 | 1440 |
Minimum password length | Minimum number of characters that can be used to specify a valid password | 8 – 20 | 8 |
Number of complexity rules that must be followed when creating a new password | Number of complexity rules
that must be followed when creating a new password Rules are enforced starting with rule 1, and up to the number of rules specified. For example, if the password complexity is set to 4, then rules 1, 2, 3 and 4 must be followed. If the password complexity is set to 2, then rules 1 and 2 must be followed. XClarity Administrator supports the following password complexity rules.
If set to 0, passwords are not required to comply with any complexity rules. |
0 – 5 | 4 |
Maximum active sessions for a specific user | Maximum number of active sessions
for a specific user that is allowed at any given time If set to 0, the number of allowed active sessions for a specific user is unlimited. |
1 – 20 | 3 |
Force user to change password on first access | Indicates whether a user is required to change the password when the user logs in to XClarity Administrator for the first time | Yes or No | Yes |
After you finish
When successfully saved, the new settings take effect immediately. If you change the setting for web inactivity session timeout, active sessions are affected.
If you change password policies, those policies are enforced the next time a user logs in or changes the password.