0

Knowledgebase

  Categories

10
Communicators
 11
CyberAudit Management Software
 544
CyberAuditWeb 9.8 Help
 15
CyberKey Smart Keys
 6
CyberLock
 6
Cyberlock Cylinders
 4
CyberPoint Checkpoints
 3
Door Controller & I/O Module
 2
FlashLock
 4
Flex System Input & Output Modules
 1
Glossary
 3
Security Center Video Phone

  Categories

  Tag Cloud

Access-a-CyberLock Adding People Adding_People assign-a-key Bluetooth Communicators CyberKey Cyberlink Flex Flex_System How-to How-to-setup-a-cyberkey key maintenance open-a-cyberlock Portable_Link Removing People Setup Update Cyberkey Update key Update-Cyberkey USB Using_the_People_List Validikey Web_Authorizer

  Support

  My Support Tickets   Announcements   Knowledgebase   Downloads   Network Status   Open Ticket

Advanced Password Policies

Print
  • 0
..//assets/img/kb/key.png Advanced Password Policies

IncorrectPasswordAttempts

Passwords are used by administrators to log in to CyberAudit-Web. There are two basic password policies enforced in all CyberAudit-Web systems:

Number of failed attempts - If an identified CyberAudit-Web administrator fails to enter their correct password, CyberAudit-Web begins a count of incorrect attempts. When the count exceeds the maximum, specified on this page, the login is automatically disabled.

In addition, failed attempts are throttled by imposing a delay after incorrectly entering the password for a login. The throttling behavior is as follows:

1 Only 1 login guess per second.
2 If there have been 3 or more wrong guesses (regardless of time) a 15 second wait is imposed before the next guess.
3 If there have been 10 or more wrong guesses (regardless of time) a 60 second wait is imposed before the next guess.
4 CyberAudit-Web logs the first wrong attempt in the journal of changes then every 10th failure thereafter.

CyberAudit-Web sets a default value of 10 failed attempts.

Minimum Password Length - CyberAudit-Web sets a default value of 8 for this field. In general, recent NIST recommendations advise that longer passwords are harder to guess and therefore more secure.

Advanced Password Policies

These settings allow password expiration and more strict control of password format. As of 2016 NIST does not recommend such policies because they tend to cause people to create predictable passwords or write them down on paper.

Available Settings:

  • Must change password every 0-999 days.
  • Must not be the same as the last 0-9 passwords. Values greater than 1 are discouranged because it requires the server to retain a history of password hashes.
  • Must have 0-64 uppercase letters.
  • Must have 0-64 lowercase letters.
  • Must have 0-64 numbers.
  • Must have 0-64 of the following special characters:

    `∼!@#$%ˆ&*()_+-={}[]\|:";',./<>?

    Special Characters: The default set of special characters are shown above. The characters may be set in the config.properties file. If the config.properties file does not specify this value, then the defaults will be used. If the config.properties file is changed, then the application server must be restarted (not just the application) for the change to be reflected in CyberAudit-Web.
  • Must not contain a subset of 0-32 characters of a previous password. This feature is deprecated and should not be used.

Note: Entering zero (0) in any of the password settings except "days" disables that setting.

On activation of the expiration policy, all users with auto generated passwords will be prompted to change their password on their next login. The expiration policy does not affect users that are logged in. It will not terminate a session due to the expiration of their password.

Was this answer helpful?

Related Articles

Global Preferences ... Locks with no Subsystem Code ... Remote Door Access ... Door Access Numbers ...
« Back