Built-in security levels

Platform supports three security levels per application: Low, Medium, and High. Platform Private Cloud customers can both configure security and add more levels if desired see the XML in System Console > System > Control Panel > Configuration > Security Levels. The standard Platform security levels and the restrictions they enforce are described in the following table:

Security Level

XML Keys

Low (default) Medium High

Very High

Password length (characters) minPasswordLength 6+ 8+ 8+ 16+

Minimum Password Strength

For more information, see Minimum Password Strength Requirements

minPasswordStrength

very_weak

fair

strong

very strong
Password is case-sensitive caseSensitivePassword No Yes Yes Yes
Password can include sequential or repeating characters (like '123456' or 'aaaaa') sequentialCharsInPassword Yes No No No
Passwords must include non-alphabetical character nonLettersInPassword No No Yes Yes
Block user account after N unsuccessful login attempts maxFailedLogins Never 10 5 5
Duration of block blockTimeMins N/A

30

minutes

60

minutes

90

minutes

Minutes of inactivity before expiring user session inactiveSessionExpireMins

240

(4 hours)

240

(4 hours)

240

(4 hours)

15

Minutes of usage before forcing user to re-login loginSessionExpireMins

480

(8 hours)

480

(8 hours)

480

(8 hours)

240

(4 hours)

Minutes to wait before expiring record lock lockExpirationMins

120

(2 hours)

60

(1 hour)

30

(1/2 hour)

30

(1/2 hour)

Minutes to wait before expiring JW Token

Minimum value is 10 minutes

 

jwtExpireMins

30

minutes

30

minutes

30

minutes

30

minutes

Multi-factor Authentication userMFA false false true true

Minimum Password Strength Requirements

You can specify the minimum password strength requirement for all passwords for an increased Platform protection. This password's strength is a gauge of how resilient it is to different kinds of attacks. In short, the complexity and length of a password determine its strength. The following are the password requirements for changing any Platform login password:

  • Passwords must be at least 8 characters long.

  • Passwords must include at least 1 non-alphabetical character.

  • Passwords are case-sensitive

  • Password must be within any of the configured strength types as mentioned in the following table:

    Minimum Strength Types

    Description

    Very Strong Very Strong Passwords are usually very unguessable, thus offering a very strong protection from offline slow-hash scenario. To use this password strength, make sure the key very_strong is mentioned in the securitylevel.xml.

    Strong

    Strong passwords are quite unguessable, thus offering a moderate protection from offline slow-hash scenario. To use this password strength, make sure the key strong is mentioned in the securitylevel.xml.
    Fair Fair passwords have a possibility of being guessed. It can offer a maximum protection from any unthrottled online attacks. To use this password strength, make sure the key fair is mentioned in the securitylevel.xml.
    Weak Weak passwords can be easily guessed, thus makes it a risky password. To use this password strength, make sure the key weak is mentioned in the securitylevel.xml.
    Very Weak Very weak passwords are guessed very easily. They can allow protection only from any throttled online attacks. To use this password strength, make sure the key very_weak is mentioned in the securitylevel.xml.

Note:

  • Based on the minimum password requirements selected, say Very Strong, if a user configures the password of Fairstrength, an error is prompted as mentioned:

    This password’s strength is Fair. The minimum password strength is Very Strong. Please select a stronger password.

  • Existing passwords will not be affected by the new requirements if you raise the minimum strength.
  • If an administrator changes the security level for any user, it is recommended to reset the passwords for all the users immediately. This enforces the new security level on all the users.

API Only Access

With API Only Access, a user's credentials can only be used to access REST and SOAP APIs. To create such a user:

  1. Create a regular user.
  2. Edit the user and select API Only Access. If you do not see this check box on the user edit page, use the page editor to add this field to the page. See Editing pages for more information about the page editor.