From Bright Pattern Documentation
Jump to: navigation, search
• 3.10 • 3.11 • 3.12 • 3.13 • 3.14 • 3.15 • 3.16 • 3.17 • 3.18

Contents

Security Policy

Your system can be configured to automatically lock out a user account after a number of unsuccessful login attempts. An account locked-out in this manner can be subsequently unlocked either manually or automatically after a configured timeout.

You can also configure the system to force your users to change their passwords after a specified number of days, prevent them from submitting previously used passwords, and automatically disable inactive accounts.

Note that your service provider may also impose some password complexity rules, such as minimum password length, mandatory use of various character groups, and exclusion of weak passwords (e.g., usernames). If any such rules are imposed, you cannot change them. You should get description of these rules from your service provider and inform your personnel about them.

To configure security policy settings, select the Security Policy option from the Security menu.


Security > Security Policy


The Security Policy screen properties are described in the following table:

Security Policy screen properties
Enable lockouts Indicates whether the account lockout option is enabled.

To comply with the PCI DSS security standard, this option shall be enabled.

Maximum login attempts Number of consecutive unsuccessful login attempts after which the account will be locked out.

To comply with the PCI DSS security standard, set this parameter to at least 6 attempts.

Reset attempt count after The amount of time after which the counter of unsuccessful login attempts will be reset.
Lockout duration The amount of time after which a locked-out account will be unlocked automatically. To disable auto-unlocking set this parameter to “0” – in this case locked-out accounts can only be unlocked manually.

To comply with the PCI DSS security standard, set this parameter to at least 30 minutes.

Password history This section allows you to prevent the user from submitting a new password that is the same as any of the specified number of previous passwords that he used.

To comply with the PCI DSS security standard, select the checkbox and set the number to 4 (or greater).

Expiration policy This section allows you to specify (1) how often users will be required to change their passwords and (2) after how many days inactive user accounts will be disabled.

To comply with the PCI DSS security standard, set both parameters to no more than 90 days.

< Previous | Next >