This page provides guidance on configuring password strength and timeout settings in nVIRO to enhance security and ensure compliance with organizational policiesexplains the default behavior of password policies in nVIRO, offers guidance for managing password security, and provides details on configurable deployment settings.
...
Password Strength
...
Policy
nVIRO enforces a password policy designed to enhance security:
Minimum Password Length
...
Enforce a minimum length for all passwords.
Recommended: At least 12 characters.
Character Requirements
Ensure passwords include a mix of character types:: Configurable via the
PASSWORD_REGEXsetting.Character Requirements: Enforced using a regular expression that requires:
At least 8 characters.
At least one uppercase letter (A–Z).
At least one lowercase letter (a–z).
At least one number (0–9).
At least one special character (e.g., !@#$%^&*).
Prohibited Passwords
Prevent the use of common passwords, dictionary words, or previously breached passwords.
Enable integration with external password blacklist services if available.
Password Timeout Configuration
Timeout settings help mitigate unauthorized access by enforcing session and password expiration policies. nVIRO supports the following options:
Session Timeout
Automatically log users out after a period of inactivity.
Recommended: Set a timeout between 15–30 minutes of inactivity.
Password Expiration
Require users to change passwords periodically.
Recommended: Set expiration intervals of 60–90 days.
Account Lockout Policy
Temporarily lock user accounts after a specified number of failed login attempts.
Recommended: Lock accounts after 5 unsuccessful attempts.
Suggested lockout duration: 15 minutes.
Best Practices for Password Management
Encourage the use of password managers to generate and store secure passwords.
- Educate users on recognizing phishing attempts and securing their credentials.
.
...
Password Timeout Policy
Timeout settings in nVIRO enhance security by enforcing expiration and lockout mechanisms:
Session Timeout
User sessions are automatically logged out after a defined period of inactivity.
Password Expiration
Default expiration interval: 90 days, configurable via the
APP_SRV_SETTING.DFLT_PASSWORD_EXPR_IN_DAYS.
Account Lockout
Accounts are temporarily locked after repeated unsuccessful login attempts. Settings are not shown in the screenshot but may be predefined.
...
Deployment Configuration Options
Administrators can configure password-related settings using the Deployment Settings. Below are key variables:
Password Reset Token Timeout:
APP_SRV_SETTING.RESET_PASSWORD_TOKEN_TIMEOUT_IN_SECONDS:Defines the validity period (in seconds) of a password reset token.
Default: 14400 seconds (4 hours).
Password Complexity:
PASSWORD_REGEX:Regular expression defining the complexity requirements for passwords.
Default:
(?=^.{8,}$)(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\\W_]).*$.
PASSWORD_REGEX_MISMATCH_MSG:Message displayed to users when a password fails the complexity validation.
Password Expiration Notifications:
APP_SRV_SETTING.PASSWORD_EXPR_NOTIF_DAYS_LEFT:Number of days before expiration that users receive notifications.
Default: 10 days.
Password Reuse Restrictions:
APP_SRV_SETTING.MAX_PASSWORD_REUSE_CK_CNT:Number of previous passwords stored to prevent reuse.
Default: 24.
Password Expiration Interval:
APP_SRV_SETTING.DFLT_PASSWORD_EXPR_IN_DAYS:Number of days before a password expires.
Default: 90 days.
Recaptcha for Password Reset:
ENV_KEYS.RESET_PASSWORD_RECAPTCHA:Enables reCAPTCHA during password reset requests.
Default: 0 (disabled).
Notification History URL Visibility:
NOTIF.SHOW_PASSWORD_RESET_URLS_IN_NOTIF_HIST:Toggles visibility of password reset URLs in notification history.
Default: 0 (hidden).
...
Best Practices for Password Management
Enable multi-factor authentication (MFA) for an additional layer of security.
Train users to create strong passwords and recognize phishing attempts.
Use a password manager for storing secure, unique passwords.
...
Related Articles
...
...