Password Management and Security Guidelines
Overview
This page explains the default behavior of password policies in nVIRO and nSPECT, offers guidance for managing password security, and provides details on configurable deployment settings.
Password Strength Policy
nVIRO enforces a password policy designed to enhance security. When creating or updating a password in nVIRO, users must meet the following complexity rules:
Minimum of eight characters
Must include at least:
One uppercase letter
One lowercase letter
One number
One special character
These requirements are configurable via the PASSWORD_REGEX setting.
Password Expiration and Lockout Policies
nVIRO also enforces the following account security settings to enhance security:
Session Timeout: User sessions automatically log out after a defined period of inactivity.
Password Expiration: Passwords expire by default after 90 days, though this interval is configurable via the
APP_SRV_SETTING.DFLT_PASSWORD_EXPR_IN_DAYSsetting.Account Lockout: Accounts are temporarily locked after repeated unsuccessful login attempts. Lockout settings may be predefined.
Deployment Configuration Options
Administrators can configure password-related settings via Deployment Settings. Key variables are described below.
Variable | Setting | Description | Default |
|---|---|---|---|
Password Reset Token Timeout |
| Validity period (in seconds) of password reset tokens. | 14400 seconds (4 hours) |
Password Complexity |
| Regular expression defining password complexity requirements. |
|
Password Complexity Validation Message |
| Message displayed when a password fails the complexity validation. | N/A |
Password Expiration Notifications |
| Number of days before expiration that users receive notifications. | 10 days |
Password Reuse Restrictions |
| Number of previous passwords stored to prevent reuse. | 5 |
Password Expiration Interval |
| Number of days before a password expires. | 90 days |
reCAPTCHA for Password Reset |
| The option to enable reCAPTCHA during password reset requests. | 0 (disabled) |
Notification History URL Visibility |
| The option to toggle visibility of password reset URLs on or off in notification history. | 0 (hidden) |
nSPECT Password Configuration
nSPECT uses a local login and password system, independent of nCORE-authenticated applications. Credentials are managed directly within the nSPECT app.
Password Strength Policy
When creating or updating a password in nSPECT, users must meet the following complexity rules:
Minimum of eight characters
Must include at least:
One uppercase letter
One lowercase letter
One number
One special character
A dynamic checklist is displayed during password creation to show compliance.
Password Expiration and Lockout Policies
nSPECT also enforces the following password expiration and account lockout mechanisms to enhance security:
Password Expiration: Passwords expire by default after 90 days. This can be modified at deployment.
Account Lockout: Accounts are automatically locked after nine failed login attempts. To unlock, users must reset their password.
Reset and Recovery: Users can reset passwords via the "Forgot Password?" link, using security questions or a recovery email, if configured.
Best Practices for Password Management
To strengthen account protection, agencies should follow established best practices when managing passwords. Recommended measures include:
Enabling multi-factor authentication (MFA) for an additional layer of security
Training users to create strong passwords and recognize phishing attempts
Using a password manager to store secure, unique passwords
nSPECT password policies are not governed by nCoreAuth, but the default password strength settings mirror nVIRO standards for consistency. Agencies using both nVIRO and nSPECT should align expiration, complexity, and recovery policies across platforms to minimize support issues.