Online GuideTutorials & GuidesNewsNetset PDB

Password Policy

This function lets you create and edit password policies. Policies can be applied to specific customer or customer group in the customer or customer group editor. Creating a single policy will have that policy apply to all users and administrators. If no policy is created, the default global Netset policy will apply. If you are running a portal solution, you are able to edit the global policy or create different policies for different retailers.

The settings for required lengths or characters will only apply when a user creates or changes their password, not to already existing passwords. If "Period of validity in days" is defined with the policy, the user will be forced to apply the password policy upon next change of password.

The default password policy has been created by Netset by following OWASP and other best industry practices for good security. Note; Things that seem to make passwords more secure might actually do the opposite because of unintended effects on user behavior. For example, if passwords have to be complex and changed often users might start writing them down on paper left by their desk, leaving them more exposed.

Password policy editor

Setting
Meaning

Name

Label of password policy

Minimum amount of characters in a password

How many characters (letters, numbers, or others) the password must contain.

Amount of uppercase letters required

Characters like A, X, T

Lower case letters required

Characters like a, x, t

Amount of numbers required

characters like 0, 2, 7

Amount of special characters required

Special characters like #, @, & (Anything except letters and numbers is a special character)

Period of validity in days

How many days until a password expires and must be changed.

If 0, passwords do not expire

Number of passwords that cannot be reused

How many different passwords until repeats are allowed.

For example, if the number is 3 then a new password must be different to the previous three passwords. If 0, password can be the same as last password.

Number of allowed failed attempts before blocking account

After the wrong password has been entered this many times, user is blocked from logging in for some time.

Number of minutes to block account

How many minutes the above block lasts.

Block account until admin unblocks

If checked, the block will not expire by itself but will only unblock via administrator action.

Last updated