Built-in security levels
Platform supports three security levels per application: Low, Medium, and High. Platform Private Cloud customers can both configure security and add more levels if desired see the XML in System Console > System > Control Panel > Configuration > Security Levels. The standard Platform security levels and the restrictions they enforce are described in the following table:
| Security Level |
XML Keys |
Low (default) | Medium | High |
Very High |
|---|---|---|---|---|---|
| Password length (characters) | minPasswordLength
|
6+ | 8+ | 8+ | 16+ |
|
Minimum Password Strength For more information, see Minimum Password Strength Requirements |
minPasswordStrength
|
very_weak |
fair |
strong |
very strong |
| Password is case-sensitive | caseSensitivePassword
|
No | Yes | Yes | Yes |
| Password can include sequential or repeating characters (like '123456' or 'aaaaa') | sequentialCharsInPassword
|
Yes | No | No | No |
| Passwords must include non-alphabetical character | nonLettersInPassword
|
No | No | Yes | Yes |
| Block user account after N unsuccessful login attempts | maxFailedLogins
|
Never | 10 | 5 | 5 |
| Duration of block | blockTimeMins
|
N/A |
30 minutes |
60 minutes |
90 minutes |
| Minutes of inactivity before expiring user session | inactiveSessionExpireMins
|
240 (4 hours) |
240 (4 hours) |
240 (4 hours) |
15 |
| Minutes of usage before forcing user to re-login | loginSessionExpireMins
|
480 (8 hours) |
480 (8 hours) |
480 (8 hours) |
240 (4 hours) |
| Minutes to wait before expiring record lock | lockExpirationMins
|
120 (2 hours) |
60 (1 hour) |
30 (1/2 hour) |
30 (1/2 hour) |
|
Minutes to wait before expiring JW Token Minimum value is 10 minutes
|
jwtExpireMins
|
30 minutes |
30 minutes |
30 minutes |
30 minutes |
| Multi-factor Authentication | userMFA
|
false | false | true | true |
Minimum Password Strength Requirements
You can specify the minimum password strength requirement for all passwords for an increased Platform protection. This password's strength is a gauge of how resilient it is to different kinds of attacks. In short, the complexity and length of a password determine its strength. The following are the password requirements for changing any Platform login password:
-
Passwords must be at least 8 characters long.
-
Passwords must include at least 1 non-alphabetical character.
-
Passwords are case-sensitive
-
Password must be within any of the configured strength types as mentioned in the following table:
Minimum Strength Types Description
Very Strong Very Strong Passwords are usually very unguessable, thus offering a very strong protection from offline slow-hash scenario. To use this password strength, make sure the key very_strongis mentioned in thesecuritylevel.xml.Strong
Strong passwords are quite unguessable, thus offering a moderate protection from offline slow-hash scenario. To use this password strength, make sure the key strongis mentioned in thesecuritylevel.xml.Fair Fair passwords have a possibility of being guessed. It can offer a maximum protection from any unthrottled online attacks. To use this password strength, make sure the key fairis mentioned in thesecuritylevel.xml.Weak Weak passwords can be easily guessed, thus makes it a risky password. To use this password strength, make sure the key weakis mentioned in thesecuritylevel.xml.Very Weak Very weak passwords are guessed very easily. They can allow protection only from any throttled online attacks. To use this password strength, make sure the key very_weakis mentioned in thesecuritylevel.xml.
- Based on the minimum password requirements selected, say Very Strong, if a user configures the password of Fairstrength, an error is prompted as mentioned:
This password’s strength is
Fair. The minimum password strength isVery Strong. Please select a stronger password. - Existing passwords will not be affected by the new requirements if you raise the minimum strength.
If an administrator changes the security level for any user, it is recommended to reset the passwords for all the users immediately. This enforces the new security level on all the users.
API Only Access
With API Only Access, a user's credentials can only be used to access REST and SOAP APIs. To create such a user:
- Create a regular user.
- Edit the user and select API Only
Access. If you do not see this check box on the user edit
page, use the page editor to add this field to the page. See Editing pages for more
information about the page editor.
