Use the Password Settings page to configure the password options for MRI for the Web for users who authenticate through MRI Identity Provider.
Note
You must have System Settings permissions to access this page. Refer to Adding and Maintaining Users and Access Rights for more information.
Passwords must meet the following requirements:
▪ Length of at least 6 characters
▪ A mix of characters meeting three of the following four criteria:
1. English upper case character (A...Z)
2. English lower case character (a...z)
3. Digit (0...9)
4. Non-alphanumeric character (!, @, #, $)
Note
Password composition options were configurable in previous versions of Security Console, but starting in version 10.5.1, all of these criteria are required.
If you use an external identity provider (IdP), the password requirements configured for your IdP will override these requirements.
When a user attempts to change their password to a password that does not conform to this rule, the system displays the following message: "The password must contain characters from three of the following four categories.
▪ English upper case characters (A..Z)
▪ English lower case characters (a..z)
▪ Base 10 digits (0..9)
▪ Non-alphanumeric (For example, !,#,%,&)."
To manage password settings, follow these steps:
1. Go to Settings.
2. Click Password Settings.
3. Complete the following fields:
▪ Days Between Forced Change—Enter the number of days in which to force users to change their passwords. When a user password expires, a message indicating the number of grace logons appears.
When a user password expires and no grace logons remain, a message appears indicating the user is locked out of the system. MRI Software recommends that users change their passwords as soon as their current passwords expire.
Valid values: 0 to 999.
If you accept the default value of zero, the following will be true:
▪ Users have unlimited logon days
▪ Users are never prompted to change their passwords
▪ The Grace Logins field below must also be set to zero
▪ Grace Logins—Enter the number of grace logons you want users to have after they have reached the number of days entered in the Days between Forced Change field above. See the details in the field above.
Valid values: 0 to 999.
Note
This field is available only if the Days between Forced Change field above is populated.
The system administrator can reset a locked out user account by clearing the Locked check box on the User page. Refer to Adding and Maintaining Users and Access Rights for more information.
▪ Stored Password History—Enter the number of previously stored passwords that cannot be used. This prevents password reuse.
Valid values: 0 to 999. If you accept the default value of zero, then users may reuse all previous passwords.
When a user attempts to change their password to a previously stored password that cannot yet be used, the system displays the following message: "Your new password has been used in the past. Please select again."
▪ Minimum Password Length—Enter a number that represents the minimum password length.
Valid values: 6 to 14.
When a user attempts to change their password to a new password that does not meet the minimum password length, the system displays the following message: "Minimum password length must be xx characters or greater."
▪ Period of Account Inactivity—Enter a number that represents the number of calendar days. If a user does not log on after this number of calendar days has passed, the user account is locked and cannot be used.
Valid values: 0 to 999. If you accept the default value of zero, then a user account will never be locked because of inactivity.
Note
The system administrator can reset a locked out user account by clearing the Locked check box on the User page. Refer to Adding and Maintaining Users and Access Rights for more information.
▪ Account Lockout Threshold—Enter the number of failed logon attempts that will cause a user account to be locked out. A locked out account cannot be used until it is reset by a system administrator or the Account Lockout Duration field below has expired.
Valid values: 0 to 999.
If you accept the default value of zero, the following will be true:
▪ Users will never be locked out
▪ The Account Lockout Duration field below is unavailable
▪ The Reset Account Lockout Counter After field below is unavailable
▪ Account Lockout Duration—Enter the number of minutes a locked out account remains locked out before automatically becoming unlocked. The value entered in this field must be greater than or equal to the value entered in the Reset Account Lockout Counter After field below.
Valid values: 0 to 99999 minutes. If you set this value to zero, an account will be locked out until an administrator explicitly unlocks it.
Note
This field is used only if the Account Lockout Threshold field above is populated.
The system administrator can reset a locked out user account by clearing the Locked check box on the User page. Refer to Adding and Maintaining Users and Access Rights for more information.
▪ Reset Account Lockout Counter After—Enter the number of minutes that must elapse after a failed logon attempt before the bad logon attempt counter is reset to zero bad logons.
Valid values: 1 to the value entered in the Account Lockout Duration field above.
Note
This field is used only if the Account Lockout Threshold field above is populated.
▪ Does not contain user's login name—Select to indicate that a user’s password cannot contain their logon name.
When a user attempts to change their password to a password that contains their logon name, the system displays the following message: "The password cannot contain the user’s login name."
▪ Force all users to change their password upon next login—Select to require user passwords to be changed the next time users log on.
4. Click Save.