The user-account security settings control the password complexity, account lockout, and web session inactivity timeout. You can change the values of the settings.
Procedure
Complete the following steps to override the user-account security settings that are in place.
Security setting | Description | Values |
---|---|---|
Password expiration period | The amount of time, in days, that a user can
use a password before it must be changed. Smaller values reduce the
amount of time for attackers to guess passwords. If set to 0, passwords never expire. The default is 90 days. Note: This setting
applies only when the user accounts are managed using the local authentication
server. They are not used when the external authentication server
is used.
|
0 – 365 |
Password expiration warning period | The amount of time, in days, before the password
expiration date that users begin to receive warnings about the impending
expiration of the user password. If set to 0, users are never warned. The default is 5 days. Note: This setting applies only when
the user accounts are managed using the local authentication server.
They are not used when the external authentication server is used.
|
0 – maximum password expiration setting |
Minimum password reuse cycle | The minimum number of times that a user must
enter a unique password when changing the password before the user
can start to reuse passwords. If set to 0, users can reuse passwords immediately. The default is 5 occurrences. |
0 – 10 |
Minimum password change interval | The minimum amount of time, in hours, that must
elapse before a user can change a password again after it was previously
changed. The value specified for this setting cannot exceed the value
specified for the password expiration period. If set to 0, users can change passwords immediately. The default is 24 hours. |
0 – 1440 |
Maximum number of login failures | The maximum number of times that a user can
attempt to log in with an incorrect password before the user account
is locked out. The number specified for the lockout period after maximum
login failures determines how long the user account is locked out.
Accounts that are locked cannot be used to gain access to the system
even if a valid password is provided. If set to 0, accounts are never locked. The failed login counter is reset to zero after a successful login. The default is 20 occurrences. |
0 – 100 |
Lockout period after maximum login failures | The minimum amount of time, in minutes, that
must pass before a user that was locked out can attempt to log back
in again. If set to 0, the account remains locked until an administrator explicitly unlocks it. A setting of 0 might make your system more exposed to serious denial of service attacks, where deliberate failed login attempts can leave accounts permanently locked. The default is 60 minutes. Tip: Any user with the role of Supervisor can unlock a user account. For
more information, see Unlocking a user.
Note: This setting applies only when the user accounts are managed
using the local authentication server. They are not used when the
external authentication server is used.
|
0 – 2880 |
Web inactivity session timeout | The amount of time, in minutes, that a user
session that is established with XClarity Administrator can be inactive before the user is logged out. If set to 0, the web session never expires. The default is 1440 minutes. Note: When changing this value, only user sessions that start after
the setting is changed are affected.
|
0 – 1440 |
Minimum password length | The minimum number of characters that can be
used to specify a valid password. The default is 8 characters. |
8 – 20 |
Maximum active sessions for a specific user | The maximum number of active sessions for a specific user that
is allowed at any given time. If set to 0, the number of allowed active sessions for a specific user is unlimited. The default is 3 sessions. |
1 – 20 |
Force user to change password on first access | Determine if a user is required to change the
password when the user logs in to XClarity Administrator for the first time. The default is to require a user to change the password the first time that the user logs in. |
Yes or No |
What to do next
When successfully saved, the new settings take effect immediately. If you change the setting for web inactivity session timeout, active sessions are affected.
If you change password policies, those policies are enforced the next time a user logs in or changes the password.