- 23 Apr 2023
- 3 Minutes to read
- Print
- DarkLight
- PDF
Managing Password Settings
- Updated on 23 Apr 2023
- 3 Minutes to read
- Print
- DarkLight
- PDF
To open the Password Settings:
- From the top right corner of any page, click . The System Settings page opens.
- In the Categories/Subcategories pane of the System Settings page, expand Privacy and Security, and select Password.
Password Policy Settings
Password Policy Settings are configured by default for Axonius-hosted (SaaS) customers and cannot be changed.
Enforce password complexity (required, default: switched off) - Toggle on to configure and enforce password complexity for new/changed Axonius user accounts' defined passwords.
If switched on, specify the following parameters:
- Minimum password length (required, default: 10) - Specify the minimum length for a defined password. The specified value must be equal to or greater than the sum of the remaining fields.
- Minimum lowercase letters required (optional, default: 1) - Specify the minimum lowercase letters required for an Axonius user account's (new/changed) defined password.
- Minimum uppercase letters required (optional, default: 1) - Specify the minimum uppercase letters required for an Axonius user account's (new/changed) defined password.
- Minimum numbers required (optional, default: 1) - Specify the minimum numbers required for an Axonius user account's (new/changed) defined password.
- Minimum special characters required (optional, default: 0) - Specify the minimum special characters required for an Axonius user account's (new/changed) defined password.
- Special characters refer to the following list: ~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/
If switched on, when a user wants or needs to change their password, the password complexity requirements are displayed. For example, changing user password from the Manage Users page.
Password Reset Settings
- Reset password link expiration (hours) (required, default: 48) - The number of hours that the reset password link remains valid.
Password Brute Force Settings
Password Brute Force Settings are configured by default for Axonius-hosted (SaaS) customers and cannot be changed.
Enable Brute force protection (required, default: switched on) - Toggle on to enforce a rate limit on user login and on Changing user account password.
Axonius uses a fixed window with an elastic expiry strategy for rate limiting. This strategy helps circumvent bursts.
Example - 10/minute rate limit is configured:- If the user login is attacked at the rate of 10 hits per minute, the attacker is locked out of the resource for 1 minute after the last hit.
- If the user login is attacked at the rate of 1 hit per second for 1 minute (total of 60 hits) - after passing the first 10 hits (after 10 seconds), the attacker is locked out of the resource for 1 minute. As the attacker continues with additional attempts, each attempt after the rate limit is exceeded, increases the lockout by the relative impact of a single hit on the defined window size. In the example, each hit increases the lockout by an additional 6 seconds (60 seconds / 10 hits = 6 seconds per hit).
If switched on, specify the following parameters:
- Maximum attempts (required, default: 20) - Specify the maximum number of attempts allowed.Note:
Both GET and POST requests are considered attempts.
- Window size in minutes (required, default: 5) - Specify the number of minutes to define a window size for the attempts allowed.
- Lock Type (required, default: IP address) - Select IP address or User name.
- User login rate limit is always per IP address.
- Changing user account password rate limiting can be done by either IP address or user name.
Note:When a specific user name is locked, Axonius also locks the IP address associated with the session of that user name.
Password Expiration Settings
Enable password expiration (required, default: switched off) - Toggle on to enforce password expiration for all users in the system.
Password expiration (days) (required, default: 90) - The number of days that a password is valid. Users with expired passwords are required to change their password when logging in.