Managing Password Settings

To open the Password Settings:

1. From the top right corner of any page, click . The System Settings page opens.
2. In the Categories/Subcategories pane of the System Settings page, expand Privacy and Security, and select Password.

Password Policy Settings

• Enforce password complexity (required, default: switched off) - Toggle on to configure and enforce password complexity for new/changed Axonius user accounts' defined passwords.
  
  

  If switched on, specify the following parameters:

  • Minimum password length (required, default: 10) - Specify the minimum length for a defined password. The specified value must be equal to or greater than the sum of the remaining fields.
  • Minimum lowercase letters required (optional, default: 1) - Specify the minimum lowercase letters required for an Axonius user account's (new/changed) defined password.
  • Minimum uppercase letters required (optional, default: 1) - Specify the minimum uppercase letters required for an Axonius user account's (new/changed) defined password.
  • Minimum numbers required (optional, default: 1) - Specify the minimum numbers required for an Axonius user account's (new/changed) defined password.
  • Minimum special characters required (optional, default: 0) - Specify the minimum special characters required for an Axonius user account's (new/changed) defined password.
    • Special characters refer to the following list: ~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/

If switched on, when a user wants or needs to change their password, the password complexity requirements are displayed. For example, changing user password from the Manage Users page.

Password Reset Settings

• Reset password link expiration (hours) (required, default: 48) - The number of hours that the reset password link remains valid.

Password Brute Force Settings

• Enable Brute force protection (required, default: switched on) - Toggle on to enforce a rate limit on user login and on Changing user account password.
  
  
  Axonius uses a fixed window with an elastic expiry strategy for rate limiting. This strategy helps circumvent bursts.
  Example - 10/minute rate limit is configured:

  • If the user login is attacked at the rate of 10 hits per minute, the attacker is locked out of the resource for 1 minute after the last hit.
  • If the user login is attacked at the rate of 1 hit per second for 1 minute (total of 60 hits) - after passing the first 10 hits (after 10 seconds), the attacker is locked out of the resource for 1 minute. As the attacker continues with additional attempts, each attempt after the rate limit is exceeded, increases the lockout by the relative impact of a single hit on the defined window size. In the example, each hit increases the lockout by an additional 6 seconds (60 seconds / 10 hits = 6 seconds per hit).
    
    

  If switched on, specify the following parameters:

  • Maximum attempts (required, default: 20) - Specify the maximum number of attempts allowed.
    Note:

    Both GET and POST requests are considered attempts.

  • Window size in minutes (required, default: 5) - Specify the number of minutes to define a window size for the attempts allowed.
  • Lock Type (required, default: IP address) - Select IP address or User name.
    • User login rate limit is always per IP address.
    • Changing user account password rate limiting can be done by either IP address or user name.
    Note:

    When a specific user name is locked, Axonius also locks the IP address associated with the session of that user name.

Password Expiration Settings

• Enable password expiration (required, default: switched off) - Toggle on to enforce password expiration for all users in the system.

• Password expiration (days) (required, default: 90) - The number of days that a password is valid. Users with expired passwords are required to change their password when logging in.