By implementing standard password security policies, OneContact's security against attacks is increased. Here you'll find information about:

• Password security policies

 

Password security policies

The following password policies can be activated on a per tenant/instance basis. These are standard windows policies. These policies apply to all OneContact agents and supervisor users (system administrators, administrators and supervisors) – active directory users (windows) are excluded.

The indicated parameters are presented in OneContactLogin.

To keep previous behaviors after upgrade all policies will be disabled. Although, on new installations the default is the standard recommended values.

When a policy is not satisfied a message is presented to the user: “The password does not meet the password policy requirements.” Followed by the policies that are being infringed:

• Enforce password history
• Maximum password age
• Minimum password age
• Minimum password length
• Password must meet complexity requirements

 

Enforce password history

Prevents users from creating a new password that is the same as their current password or a recently used password. To specify how many passwords are remembered, provide a value. For example, a value of 1 means that only the last password will be remembered, and a value of 5 means that the previous five passwords will be remembered.

Parameter: EnforcePasswordHistory, integer (0-24)

This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.

This policy enables administrators to enhance security by ensuring that old passwords are not reused continually.

Default: 0 (upgrade), 5 (new)

Tip: Use a number that is greater than 1.

 

Maximum password age

Sets the maximum number of days that a password is valid. After this number of days, the user will have to change the password. The user is directed to a change password screen on login. This policy has no effect for the sip passwords.

Parameter: MaximumPasswordAge, integer (0-999)

This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.

Default: 0 (upgrade), 70 (new)

Tip: Set a maximum password age of 70 days. Setting the number of days too high provides hackers with an extended window of opportunity to crack the password. Setting the number of days too low might be frustrating for users who have to change their passwords too frequently.

 

Minimum password age

Sets the minimum number of days that must pass before a password can be changed.

Parameter: MinimumPasswordAge, integer (0-MaximumPasswordAge)

This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.

The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.

Default: 0 (upgrade), 1 (new)

Tip: Set the minimum password age to at least 1 day. By doing so, you require that the user can only change their password once a day. This will help to enforce other settings. For example, if the past five passwords are remembered, this will ensure that at least five days must pass before the user can reuse their original password. If the minimum password age is set to 0, the user can change their password six times on the same day and begin reusing their original password on the same day.

 

Minimum password length

Specifies the fewest number of characters a password can have.

Parameter: MinimumPasswordLength, integer (1-14)

This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters.

Default: 1 (upgrade), 7 (new)

Tip: Set the length between 8 and 12 characters (provided that they also meet complexity requirements). A longer password is more difficult to crack than a shorter password, assuming the password is not a word or common phrase.

 

Password must meet complexity requirements

Requires that passwords:

• – (2.4 Minimum password length)
• Contain a combination of at least three of the following characters: uppercase letters, lowercase letters, numbers, symbols (punctuation marks)
• Don't contain the user's user name or full name

Parameter: PasswordComplexity, bool

               Enable/disable policy.

Default: false (upgrade), true (new)

Note: In order to change the default values authenticate in OneContactLogin Provisioning and run the endpoint PUT /api/tenants/{TenantId}/PasswordPolicies with the desired values.