Password policies are only enforced for standard OnBase authentication. With Active Directory or LDAP authentication, only the Lockout After Idle <n> Days Password Policy setting is respected.
To create a password policy:
- Select Users | Password Policies.
-
The Password Policies dialog box is displayed:
-
Right-click and select New Policy or select the New Policy toolbar button:
-
The Password Policy dialog box is displayed:
- Type a unique name for the password policy in the Policy Name field.
- Type a description of the password policy in the Description field.
-
Configure the remaining settings in the Password Policy dialog box. These settings are described in the tables below.
Note:
For settings that include a text field, the number entered in the text field must be greater than 0.
Use a combination of options in the Password Policy dialog box to create a restrictive password policy. For example, select all four check boxes in the Content Quotas section. Use a value of 3 for Require <n> Alphabetic Characters, Require <n> Numeric Characters, and Require <n> Special Characters. Use a value of 2 for Satisfy at Least <n> Quota Rules. Select the Maximum Overall Length check box and specify a value of 6. In this example, the Maximum Overall Length setting works together with the Content Quotas settings to provide a restrictive password policy.
Complexity
Description
Require Alphanumeric Characters Only
When selected, the password can only contain alphanumeric characters (letters and/or numbers).
Disallow Embedded User Name
When selected, the password cannot contain the user's OnBase user name.
Maximum Repeated Consecutive Characters
When selected, the number in the corresponding text field is the maximum number of repeated consecutive characters that the password can contain.
For example, if this number is set to 2, password is an allowable password, while passsword is not allowed.
Common Substring Maximum Length
When selected, the number in the corresponding text field is the maximum number of common, consecutive characters that can be reused in a new, user-entered password.
For example, if this number is set to 3, and the current password is PASS123, a new user-entered password could be PAS3210 or 0123PAS but could not be, for instance, PASS321 or 123PASS. Since PASS represents more than three common, consecutive characters between the old password and new password, PASS cannot be used anywhere in the new password.
Maximum Overall Length
When selected, the number in the corresponding text field is the maximum number of characters that the password can contain.
Minimum Overall Length
When selected, the number in the corresponding text field is the minimum number of characters that the password can contain.
Content Quotas
Description
Require <n> Alphabetic Characters
When selected, the number in the corresponding text field is the minimum number of alphabetic characters that the password must contain.
Require <n> Numeric Characters
When selected, the number in the corresponding text field is the minimum number of numeric characters that the password must contain.
Require <n> Special Characters
When selected, the number in the corresponding text field is the minimum number of special characters that the password must contain.
Special characters are the following characters: ~ ' ! @ # $ % ^ & * ( ) _ - + = [ { ] } \ | ; : ' " , < . > / ?
Require <n> Uppercase Characters
When selected, the number in the corresponding text field is the minimum number of uppercase characters that the password must contain.
Require <n> Lowercase Characters
When selected, the number in the corresponding text field is the minimum number of lowercase characters that the password must contain.
Satisfy at Least <n> Quota Rules
When selected, the number in the corresponding text field is the minimum number of configured Content Quotas that the password needs to satisfy to be considered a valid password. This number must be less than the number of configured Content Quotas.
For example, a password policy requires that passwords include five alphabetic characters and five special characters. The Satisfy at Least <n> Quota Rules setting is set to 1. In this example, the following passwords all satisfy the configured Content Quotas:
-
Keyword
-
12345
-
Keyword12345
Note:The MANAGER and ADMINISTRATOR User Groups are exempt from Rotation settings.
Rotation
Description
Prevent Reuse
When selected, previously used passwords cannot be reused.
Note:This setting cannot be used in conjunction with the Prevent Reuse Within <n> Changes or Prevent Reuse Within <n> Days settings.
Prevent Reuse Within <n> Changes
When selected, previously used passwords can be reused. The number in the corresponding text field is the minimum number of password changes that must occur before a previously used password can be reused.
For example, a password policy dictates that when users change their password, the new password cannot match one of their previous four passwords. In this example, the Prevent Reuse Within <n> Changes setting should be 4.
Prevent Reuse Within <n> Days
When selected, previously used passwords can be reused. The number in the corresponding text field is the minimum number of days that must pass before a previously used password can be reused.
Change Frequency
Description
Require <n> Hours Between Changes
When selected, the number in the corresponding text field is the minimum number of hours that must pass before a password change is required.
Tip:Use this setting to prevent users from changing their password and then immediately changing it again.
Expires Every <n> Days
When selected, the number in the corresponding text field is the number of full days that must pass before the password expires. For example, if you enter 1, the password expires at the end of the day after the password is changed.
Expires on First Use
When selected, newly assigned passwords expire after they are used once (e.g., if an administrator assigns a generic or random password to a user, the user is prompted to change the password upon first logging on to OnBase). Users are not prompted to change passwords on subsequent logins.
Note:The Require <n> Hours Between Changes option is not enforced when Expires on First Use is selected.
Account Lockout
Description
Lockout After <n> Failed Logins
When selected, the number in the corresponding text field is the number of invalid login attempts that can occur before a user is locked out of OnBase.
Manual Release by Admin
When selected, users locked out of OnBase because they reached the specified number of invalid login attempts can only be unlocked manually.
Auto-Release After <n> Minutes
When selected, the number in the corresponding text field is the number of minutes that will elapse before unlocking users locked out of OnBase because they reached the specified number of invalid login attempts.
Lockout After Idle <n> Days
When selected, the number in the corresponding text field is the number of days a user can go without logging into OnBase before being locked out of OnBase.
Note:This setting is also respected by Active Directory and LDAP authentication methods. The MANAGER and ADMINISTRATOR User Groups are exempt from the Lockout After Idle <n> Days setting.
-
-
Click OK.
Before saving the selected password policy settings, OnBase verifies that no mutually exclusive settings are selected. If OnBase detects mutually exclusive settings, you are prompted to change them before you will be able to save the configured password policy.
For example, you select Prevent Reuse and Prevent Reuse Within <n> Days. These settings are mutually exclusive. After clicking OK to save this configuration, you are prompted to re-configure these settings before you can save the password policy. You must deselect one of these settings before you can save the password policy.
-
The Password Policies dialog box displays the password policy that you created:
-
If necessary, use the following right-click options and toolbar buttons to edit
or delete existing password policies:
Right-Click Option Toolbar Button Description Edit Policy
Click to edit the selected password policy.
Delete Policy
Click to delete the selected password policy.