You are currently viewing a limited version of this help centre. To access more content, please sign in with your support account or create a new one.

Sign in Create an account
Continue with limited experience
Navigation
Back
Need help?
Sign in

Looking for help?

Guides

View more
Access an account

Learn how to create a new account or recover an existing one.

Open a ticket

See how to raise an issue or question with our Support team.

Manage tickets

Check how to view and update your previously submitted tickets.

Access e-learning

Find training courses and learn how to use your solution.

Experiencing an issue, or have an idea? Feedback
New Updated
No results found
enterReturn key to select
Arrow keys to navigate
escEscape key to close

Configuring password rules

Karl Newstead
  • Updated
⌘ K
Search this article
Print this article

This article describes the password rules available in Internal Audit v5.4 and how they can be configured.

The table below shows the options that can be set, their default values and where they are located in the configuration:

Rule

Default setting

Location in configuration (see below)

Key Name

Notes

Max number of incorrect attempts allowed

5

<providers>

maxInvalidPasswordAttempts

The desktop application does not feed back to the user that their account has become locked, it just repeats the 'login failed' message.

 

The WebUI will tell the user that their account is locked at the login attempt after the lockout occurred (so if the limit is set at 3, they will get the lockout message on the 4th attempt).

Password attempt window

10 minutes

<providers>

passwordAttemptWindow

The value is set in minutes.

Minimum length

8 characters

<providers>

minRequiredPasswordLength

 

Minimum number of non-alphanumeric characters

0

<providers>

minRequiredNonalphanumericCharacters

This setting allows you to specify how many non-alphanumeric characters are required - if you want to specify simply that a mixture is required (i.e. at least one) then it is simpler to use the forceAtLeastOneNonAlphaNumeric setting.

Force at least one non-alphanumeric character

False

Pentana.Tng.UI.Web.FBA

forceAtLeastOneNonAlphaNumeric

 

Password cannot contain username

True

Pentana.Tng.UI.Web.FBA

cannotContainUsername

 

Force at least one number

False

Pentana.Tng.UI.Web.FBA

forceAtLeastOneNumeric

 

Force a mix of letters and numbers

True

Pentana.Tng.UI.Web.FBA

forceLettersAndNumerics

 

Force upper and lower case

True

Pentana.Tng.UI.Web.FBA

forceUpperAndLower

 

Force at least three of the four categories directly above

False

Pentana.Tng.UI.Web.FBA

forceAtLeastThreeOfFourCategories

 

Prevent a previous password being used for n days

30 days

Pentana.Tng.UI.Web.FBA

passwordRecyclePeriod

The value is set in days.  Sometimes we are asked to set up a rule such that the last x passwords may not be reused, in a system where passwords are changed every n days - you can enforce similar behaviour by specifying that a previous password cannot be used for x*n days

Password must be changed after n days

0 (off)

Pentana.Tng.UI.Web.FBA

PasswordExpiry

The value is set in days, 0 means that the password will remain valid indefinitely.

Note that this must be set in an additional file, see 'Additional step for passwordExpiry'

 

Making changes

Note that saving any changes in these config files will cause the service to restart, so be sure that downtime is scheduled.

Where a setting is in the <providers> section

In each of Service\Web.config, FBA\Web.config and WebUI\Web.config is a section at

<configuration><system.web><membership>, which looks like this:
 

<membership defaultProvider="DefaultMembershipProvider">
      <providers>
        <add name="DefaultMembershipProvider" type="Pentana.Tng.MembershipProviders.PentanaMembershipProvider, PentanaMembershipProvider"
             connectionStringName="FBAConnection"
             maxInvalidPasswordAttempts="5"
             minRequiredPasswordLength="8"
             minRequiredNonalphanumericCharacters="0"
             passwordAttemptWindow="10"
             applicationName="/" />
      </providers>
    </membership>

Where a rule is specified in this section, make the change in each of the three files.
 

Where a setting is in the Pentana.Tng.UI.Web.FBA section

In each of FBA\Web.config and WebUI\Web.config is a section headed <Pentana.Tng.UI.Web.FBA>, which looks like this:

  <Pentana.Tng.UI.Web.FBA>
    <add key="authCookie" value="TngAuthentication" />
    <add key="timeout" value="1440" />
    <add key="smtpAddress" value="[SMTPRelay]" />
    <add key="fromAddress" value="[FromAddress]" />
    <add key="emailSubject" value="Password Reset" />
    <add key="urlLink" value="https://[SiteAddress]/WebUI/Login.aspx" />
    <add key="cannotContainUsername" value="true" />
    <add key="forceAtLeastOneNonAlphaNumeric" value="false" />
    <add key="forceAtLeastOneNumeric" value="false" />
    <add key="forceLettersAndNumerics" value="true" />
    <add key="forceAtLeastThreeOfFourCategories" value="false" />
    <add key="forceUpperAndLower" value="true" />
    <add key="passwordRecyclePeriod" value="30" />
    <add key="passwordExpiry" value="0" />
  </Pentana.Tng.UI.Web.FBA>

Where a rule is specified in this section, make the change in both of the files.

 

Additional step for passwordExpiry

If passwordExpiry is to be set, in addition to the two files mentioned above the key must also appear in Service\Web.config (with the number being the number of days required between resets), e.g.:

<Pentana.Tng.UI.Web.FBA>
 <add key="smtpAddress" value="[SMTPRelay]" />
 <add key="fromAddress" value="[FromAddress]" />
 <add key="emailSubject" value="Password Reset" />
 <add key="urlLink" value="https://[SiteAddress]/FBA/Account/Account_Login.aspx" />
 <add key="passwordExpiry" value="30" />
</Pentana.Tng.UI.Web.FBA>

 

Would you consider this article helpful? 3 out of 4 found this helpful
Looking for more help? Ask the community

Sections