There is a tremendous amount of material on the theory, use, and application of Passwords (among other things). In fact, there are over 3.25B Google hits for the word, "password", whereas there are, "only" 3.12B for the word, "God". This article is not intended to cover information associated with operational philosophy or effectiveness, but instead focuses on the policy implementation that's available for your use.
To use SSProtect, you Login with a Username and Password combination. Your password is supposed to represent a secret that nobody knows, helping to prove that you are who you say you are. Password Policy is implemented to make certain users choose strong passwords that are not easy for attackers to guess or, "brute force". For example, the word, "password" itself is a very common choice, and top choices are documented and used by attackers to break into a variety of services available to unsuspecting users.
Password Policy Details
Password Policy allows Privileged Organization Users - Administrators and Delegates - to create requirements for Passwords used by Unprivileged Organization Users. Individual Account holders that work independently can also manage their own Password Policy.
Password Policy serves as a reminder to both change your Password on a regular basis, and also allows you to define minimum requirements and forget about them - you will be forced to adhere to them later. If as an Individual Account holder you later transition to an Organization, your Password Policy will migrate to serve as the global setting for future Users you deploy.
Password Policies are optional, and can be added, changed, or removed at any time. Policy Requirements include:
- The minimum number of characters in a Password
- The length of time before a Password has to be changed
- The required set of character types that must be included
Setting Password Policy
An Organization's Password Policy is configured from the Administer Users display that can be reached from the notification icon's context menu. Individual Account holders can find the same entrypoint from the Account Configuration display, also accessible from the notification icon's context menu.
On the right side of the either display, you will see a Pwd Policy or Policy Active checkbox, which is checked if a policy is in effect, else unchecked. Choose the Pwd Policy button to display and modify details:
Use the controls in this dialog to determine whether or not you wish to enforce a Password Policy first by checking (or unchecking) Use Policy. Modify the Min Length, duration (Change After), and the required characters (Lowercase, Uppercase, Number, and Symbol checkboxes) you want to require for Passwords. For example, if you want to make sure a Password includes at least one number and one symbol, check the Number and Symbol checkboxes. Leaving the Lowercase and Uppercase checkboxes unchecked allows for Passwords that do not include any letters at all. Unless you have good reason to avoid doing so, you may want to be sure and choose the Lowercase checkbox to avoid confusion. Note that SSProtect does not require this.
You can only request a Policy that requires a Password of maximum 15 characters in length while also lasting up to 254 days.
Requesting Immediate Changes
In some cases, companies that are managing security incidents will request that all Users change their Password on next Login. You can force this condition by choosing the Force Reset on Next Login. Existing User Login Sessions will continue to be valid, however the next time a User has to Login, he or she will be forced to update their password before they can continue.
Password Policy applies to all Users, including Privileged Delegates and Administrators. This means changes will apply to your Account and go into effect the next time you Login. If you force immediate changes, you will need to update your Password the next time you Login. This is one way for Individual Account holders to reset their own passwords.
Honeypot Passwords and Password Reset
Password Policy does not apply to Honeypot Passwords, though when you execute a Password Reset request, the Honeypot Password is reset along with your Login password. As noted in related Honeypot documentation, its' password should be set early in the lifecycle of SSProtect usage, or immediately after Reset. See the article Deploying Honeypots for more details.
Password Reset is different than changing your password due to Policy, or by manually executing a change. Both of the latter require your existing password, whereas a Reset request is used when you have forgotten your Login password. The procedure is similar to that used when Organization Users Register an Account, and you will be reminded to set your Honeypot password on subsequent Login.
When you are finished declaring your Password Policy, select OK. Changes are immediately committed to your and/ or your Organization configuration. If you are using two-factor authentication, you will be asked to provide the 2nd-factor before policy changes are saved. If there is a problem, you will receive a message else a simple success message is printed at the bottom of the Administer Users dialog.
How Changes Affect Users
Users are prompted to change their Passwords on SSProtect Login, when applicable. Notices that an Account's Password is about to expire start 5 days before expiration, and are presented after you provide a valid Password during Login. Users can change their Password anytime during this 5 day period. When 0 days remain, the Password is expired and SSProtect cannot be used until a new Password is created. Do this by choosing Yes when prompted to make the change.
When a Password Policy is changed, unless specified by the Policy, existing Users don't have to respond on their next Login. Instead, existing Users entertain a Grace Period before Password expiration. This period is equal to one tenth the Policy's new configured duration. Therefore, if you apply a Policy that allows 100 days before a change is required, all existing Users have 10 days to make the change (starting 5 days out when notices are presented during Login). If for some reason you choose a duration of less than 10 days, all Users get at least one day. This does NOT apply when the Policy calls for immediate change.
Once a Password Policy cycle has been completed, Users change their Passwords which remain valid for the full duration of the (unchanged) Password Policy. When the Policy is modified, the Grace Period again goes into effect.
Organization Validation with Administrator Changes
Password change due to Policy does not require Validation, as is the case with on-demand requests for Password Reset. For example, when an Organization User forgets his/her Password and requests that a Privileged Organization User Reset his/her Password, he/she is sent a temporary password via email. The password in the message is used for his/her next login, at which point he/she must supply a new password (that meets the Policy requirements in terms of length and character content). This requires that a Privileged Organization User then Validate the Account before it can continue to be used.
Validation is required since the temporary password is sent in unsecured email, allowing a Privileged Organization User the ability to check with the User to insure he/she performed the Login and set the new Password rather than an attacker who intercepted the email. This is critical due to the ease with which Organization data can be shared.
Note that the Organization Administrator and Individual Account holders do not follow a Validation process, though require Exported Keys for Password Reset. Speak to DefiniSec Support if you need a Password Reset or have problems accessing your Account while working through the Reset procedure.
For More Information
For information regarding product features and content, consult the Document Index, or send email with specific questions to firstname.lastname@example.org.
This article was updated w/ v9.1.0 of the :Foundation Client