With each OnBase installation, two pre-defined password policies are created by default to help establish good security practices. The High Security policy is created as the recommended level of security, and the Medium Security policy is applied as the default password policy if no default password policy is defined for your system. These policies cannot be modified or deleted.
The Medium Security policy enforces the following rules:
-
Passwords must be a minimum length of characters
-
No more than 2 characters can be repeated consecutively
-
Passwords expire the first time users log on
-
Accounts are locked after 5 failed attempts to log on
-
Locks on accounts with too many failed attempts to log on are released after 15 minutes
-
Accounts are locked after they are idle for 180 days
The High Security policy enforces the following rules:
-
User names cannot be embedded in passwords
-
Passwords must be a minimum length of 15 characters
-
No more than 2 characters can be repeated consecutively
-
Passwords cannot be reused within 5 password changes
-
Passwords cannot be changed more than once within 24 hours
-
Passwords expire every 180 days
-
Passwords expire the first time users log on
-
Accounts are locked after 5 failed attempts to log on
-
Administrators must manually release locks on accounts with too many failed attempts to log on
-
Accounts are locked after they are idle for 60 days
Although it is not enforceable at the system level, requiring a Unicode character (characters outside the standard ASCII character set) as part of user passwords is a highly effective policy to help thwart typical password cracking applications. This practice is recommended for systems that require a high level of security. Due to a negative impact on the user experience, however, it is not recommended for most systems.
Unicode characters can only be used if the OnBase database has been configured for Unicode. Contact your first line of support for information on configuring your database for Unicode.
For more information on configuring password policies, see the System Administration module reference guide.