Password strength and age limits

Introduction

The archive employs a password strength algorithm when setting the passwords of user accounts. The algorithm attempts to score a password’s ability to be guessed or compromised in a brute-force attack.

When a user sets their password, a strength indicator displays how vulnerable the password might be to a cracking attempt. The indicator displays four strengths – Risky, Somewhat guessable, Good and Excellent.

System administrators can set a minimum password strength that is required when applying account passwords. A user is forced to enter a password that meets, or exceeds, the minimum required password strength.

It is recommended that the minimum password strength is set to the highest level – Excellent.

To ensure passwords are frequently changed, the archive can assess the number of days that have elapsed since a password was set or last reset. A user can be prompted or forced to reset their password once a password is deemed to have ‘expired’ – IE when the password age exceeds the password age limit. By default, the password day limit is set to 180 days.

The User accounts page, where user accounts are listed, will display the age of a password, allowing administrators to identify accounts that should be reset.

Not all accounts are governed by the age limit behaviour. External accounts, where authentication is carried out by an Identity Provider, and Shared accounts are not subject to password age limits.

Both password strength and age limit settings are applied in the archive’s Preferences page.

To display the Preferences page, navigate to:

1. Main Menu
2. Administration tab
3. Preferences hyperlink

You will be required to login using a Super Administrator account to access these settings.

Applying a minimum password strength

1. Navigate to the archive’s Preferences page.
2. With the Archive settings tab selected, scroll down to the Password Security heading.
3. Under the Strength meter subheading, select a strength value from the Minimum required strength popup menu.
4. Click Save & Close.

Applying a password age limit and reset behaviour

1. Navigate to the archive’s Preferences page.
2. With the Archive settings tab selected, scroll down to the Password Security heading.
3. Under the Age limit subheading, in the Age limit in days field, enter the number of days that should elapse before a password is considered ‘expired’.
   Note: setting the number of days to zero will turn off password age limit completely.
4. Set Prompt users to reset expired passwords field to Yes to prompt password reset when a user logs in.
   Alternatively, set Force users to reset expired passwords field to Yes to force password reset when a user logs in.
   Set both fields to No if you wish to leave expired passwords unchecked.
5. Click Save & Close.