Password Configuration - Strength and Timeouts

Owned by Robert Hohf
Last updated: Dec 30, 2024
2 min read

This page explains the default behavior of password policies in nVIRO, offers guidance for managing password security, and provides details on configurable deployment settings.

Password Strength Policy

nVIRO enforces a password policy designed to enhance security:

  • Minimum Password Length: Configurable via the PASSWORD_REGEX setting.

  • Character Requirements: Enforced using a regular expression that requires:

    • At least 8 characters.

    • At least one uppercase letter.

    • At least one lowercase letter.

    • At least one number.

    • At least one special character.

Password Timeout Policy

Timeout settings in nVIRO enhance security by enforcing expiration and lockout mechanisms:

Session Timeout

  • User sessions are automatically logged out after a defined period of inactivity.

Password Expiration

  • Default expiration interval: 90 days, configurable via the APP_SRV_SETTING.DFLT_PASSWORD_EXPR_IN_DAYS.

Account Lockout

  • Accounts are temporarily locked after repeated unsuccessful login attempts. Settings are not shown in the screenshot but may be predefined.

Deployment Configuration Options

Administrators can configure password-related settings using the Deployment Settings. Below are key variables:

  1. Password Reset Token Timeout:

    • APP_SRV_SETTING.RESET_PASSWORD_TOKEN_TIMEOUT_IN_SECONDS:

      • Defines the validity period (in seconds) of a password reset token.

      • Default: 14400 seconds (4 hours).

  2. Password Complexity:

    • PASSWORD_REGEX:

      • Regular expression defining the complexity requirements for passwords.

      • Default: (?=^.{8,}$)(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\\W_]).*$.

    • PASSWORD_REGEX_MISMATCH_MSG:

      • Message displayed to users when a password fails the complexity validation.

  3. Password Expiration Notifications:

    • APP_SRV_SETTING.PASSWORD_EXPR_NOTIF_DAYS_LEFT:

      • Number of days before expiration that users receive notifications.

      • Default: 10 days.

  4. Password Reuse Restrictions:

    • APP_SRV_SETTING.MAX_PASSWORD_REUSE_CK_CNT:

      • Number of previous passwords stored to prevent reuse.

      • Default: 24.

  5. Password Expiration Interval:

    • APP_SRV_SETTING.DFLT_PASSWORD_EXPR_IN_DAYS:

      • Number of days before a password expires.

      • Default: 90 days.

  6. Recaptcha for Password Reset:

    • ENV_KEYS.RESET_PASSWORD_RECAPTCHA:

      • Enables reCAPTCHA during password reset requests.

      • Default: 0 (disabled).

  7. Notification History URL Visibility:

    • NOTIF.SHOW_PASSWORD_RESET_URLS_IN_NOTIF_HIST:

      • Toggles visibility of password reset URLs in notification history.

      • Default: 0 (hidden).

Best Practices for Password Management

  • Enable multi-factor authentication (MFA) for an additional layer of security.

  • Train users to create strong passwords and recognize phishing attempts.

  • Use a password manager for storing secure, unique passwords.

Related Articles

  • User Management

  • Security Roles Overview