Creating a Password Policy - Legacy Authentication Methods - Foundation 23.1 - Foundation 23.1 - Ready - OnBase - Essential - Premier - Standard - external - Standard - Essential - Premier

Legacy Authentication Methods

Platform
OnBase
Product
Legacy Authentication Methods
Release
Foundation 23.1
License
Standard
Essential
Premier
Note:

Password policies are only enforced for standard OnBase authentication. With Active Directory or LDAP authentication, only the Lockout After Idle <n> Days Password Policy setting is respected.

To create a password policy:

  1. Select Users | Password Policies.
  2. The Password Policies dialog box is displayed:
  3. Right-click and select New Policy or select the New Policy toolbar button:
  4. The Password Policy dialog box is displayed:
  5. Type a unique name for the password policy in the Policy Name field.
  6. Type a description of the password policy in the Description field.
  7. Configure the remaining settings in the Password Policy dialog box. These settings are described in the tables below.
    Note:

    For settings that include a text field, the number entered in the text field must be greater than 0.

    Use a combination of options in the Password Policy dialog box to create a restrictive password policy. For example, select all four check boxes in the Content Quotas section. Use a value of 3 for Require <n> Alphabetic Characters, Require <n> Numeric Characters, and Require <n> Special Characters. Use a value of 2 for Satisfy at Least <n> Quota Rules. Select the Maximum Overall Length check box and specify a value of 6. In this example, the Maximum Overall Length setting works together with the Content Quotas settings to provide a restrictive password policy.

    Complexity

    Description

    Require Alphanumeric Characters Only

    When selected, the password can only contain alphanumeric characters (letters and/or numbers).

    Disallow Embedded User Name

    When selected, the password cannot contain the user's OnBase user name.

    Maximum Repeated Consecutive Characters

    When selected, the number in the corresponding text field is the maximum number of repeated consecutive characters that the password can contain.

    For example, if this number is set to 2, password is an allowable password, while passsword is not allowed.

    Common Substring Maximum Length

    When selected, the number in the corresponding text field is the maximum number of common, consecutive characters that can be reused in a new, user-entered password.

    For example, if this number is set to 3, and the current password is PASS123, a new user-entered password could be PAS3210 or 0123PAS but could not be, for instance, PASS321 or 123PASS. Since PASS represents more than three common, consecutive characters between the old password and new password, PASS cannot be used anywhere in the new password.

    Maximum Overall Length

    When selected, the number in the corresponding text field is the maximum number of characters that the password can contain.

    Minimum Overall Length

    When selected, the number in the corresponding text field is the minimum number of characters that the password can contain.

    Content Quotas

    Description

    Require <n> Alphabetic Characters

    When selected, the number in the corresponding text field is the minimum number of alphabetic characters that the password must contain.

    Require <n> Numeric Characters

    When selected, the number in the corresponding text field is the minimum number of numeric characters that the password must contain.

    Require <n> Special Characters

    When selected, the number in the corresponding text field is the minimum number of special characters that the password must contain.

    Special characters are the following characters: ~ ' ! @ # $ % ^ & * ( ) _ - + = [ { ] } \ | ; : ' " , < . > / ?

    Require <n> Uppercase Characters

    When selected, the number in the corresponding text field is the minimum number of uppercase characters that the password must contain.

    Require <n> Lowercase Characters

    When selected, the number in the corresponding text field is the minimum number of lowercase characters that the password must contain.

    Satisfy at Least <n> Quota Rules

    When selected, the number in the corresponding text field is the minimum number of configured Content Quotas that the password needs to satisfy to be considered a valid password. This number must be less than the number of configured Content Quotas.

    For example, a password policy requires that passwords include five alphabetic characters and five special characters. The Satisfy at Least <n> Quota Rules setting is set to 1. In this example, the following passwords all satisfy the configured Content Quotas:

    • Keyword

    • 12345

    • Keyword12345

    Note:

    The MANAGER and ADMINISTRATOR User Groups are exempt from Rotation settings.

    Rotation

    Description

    Prevent Reuse

    When selected, previously used passwords cannot be reused.

    Note:

    This setting cannot be used in conjunction with the Prevent Reuse Within <n> Changes or Prevent Reuse Within <n> Days settings.

    Prevent Reuse Within <n> Changes

    When selected, previously used passwords can be reused. The number in the corresponding text field is the minimum number of password changes that must occur before a previously used password can be reused.

    For example, a password policy dictates that when users change their password, the new password cannot match one of their previous four passwords. In this example, the Prevent Reuse Within <n> Changes setting should be 4.

    Prevent Reuse Within <n> Days

    When selected, previously used passwords can be reused. The number in the corresponding text field is the minimum number of days that must pass before a previously used password can be reused.

    Change Frequency

    Description

    Require <n> Hours Between Changes

    When selected, the number in the corresponding text field is the minimum number of hours that must pass before a password change is required.

    Tip:

    Use this setting to prevent users from changing their password and then immediately changing it again.

    Expires Every <n> Days

    When selected, the number in the corresponding text field is the number of full days that must pass before the password expires. For example, if you enter 1, the password expires at the end of the day after the password is changed.

    Expires on First Use

    When selected, newly assigned passwords expire after they are used once (e.g., if an administrator assigns a generic or random password to a user, the user is prompted to change the password upon first logging on to OnBase). Users are not prompted to change passwords on subsequent logins.

    Note:

    The Require <n> Hours Between Changes option is not enforced when Expires on First Use is selected.

    Account Lockout

    Description

    Lockout After <n> Failed Logins

    When selected, the number in the corresponding text field is the number of invalid login attempts that can occur before a user is locked out of OnBase.

    Manual Release by Admin

    When selected, users locked out of OnBase because they reached the specified number of invalid login attempts can only be unlocked manually.

    Auto-Release After <n> Minutes

    When selected, the number in the corresponding text field is the number of minutes that will elapse before unlocking users locked out of OnBase because they reached the specified number of invalid login attempts.

    Lockout After Idle <n> Days

    When selected, the number in the corresponding text field is the number of days a user can go without logging into OnBase before being locked out of OnBase.

    Note:

    This setting is also respected by Active Directory and LDAP authentication methods. The MANAGER and ADMINISTRATOR User Groups are exempt from the Lockout After Idle <n> Days setting.

  8. Click OK.

    Before saving the selected password policy settings, OnBase verifies that no mutually exclusive settings are selected. If OnBase detects mutually exclusive settings, you are prompted to change them before you will be able to save the configured password policy.

    For example, you select Prevent Reuse and Prevent Reuse Within <n> Days. These settings are mutually exclusive. After clicking OK to save this configuration, you are prompted to re-configure these settings before you can save the password policy. You must deselect one of these settings before you can save the password policy.

  9. The Password Policies dialog box displays the password policy that you created:
  10. If necessary, use the following right-click options and toolbar buttons to edit or delete existing password policies:
    Right-Click Option Toolbar Button Description

    Edit Policy

    Click to edit the selected password policy.

    Delete Policy

    Click to delete the selected password policy.