Application-level security for user access

Summary

This document explains password requirements, system security configuration, and account lockouts. Many of these settings are not exposed in the user interface. Please contact your account manager if you would like any of these configurations changed.

General Security Information

Passwords are required to access ClientSpace and are hashed with one-way encryption. The site uses 2048 SSL encryption.

When the password is changed, the system records the time and date of this event in the DatePasswordSet field on the User table. The system can then be optionally set to run a scheduled process regularly to check the current date against this field and require the user to reset the password if it exceeds a set threshold.**

Password and account security options are as follows:

Minimum password length (default is 7 characters)
Password complexity (default is at least two types of characters, i.e., alpha-numeric) - see below
Number of failed attempts before account lockout (default is 5 attempts)
Lockout duration (default is 30 minutes)

Additionally, the system can be configured so that ClientSpace sessions timeout after a set amount of inactivity using the Session Expiration setting, essentially logging the user out of the system. When this occurs the user receives a 'Session Expired' message in the browser.

About your ClientSpace installation security

Security configurations are stored in an Install Security table within the database.

To access the configuration:

Go to System Admin > Advanced > App Settings.
The App Settings form opens.
In the Security section, configure the following:

PasswordLength: minimum length of a user password.
PasswordComplexity: This field specifies the minimum level of password complexity allowed. You can require up to 3 levels of complexity with up to 4 options. Levels are 1 Option, 2 Option, 3 Option, and 4 Option. The complexity includes a combination of letters, mixed case, numbers, and special characters. Your application specialist can help you configure the password complexity level. The system then checks each of the complexity options and allows authentication if the password meets the required levels.
PasswordResetDays: amount of time in days from the last password reset before a user is forced to change the password (unless 'Password Never Expires' is selected).
LoginAttempts: number of failed login attempts before a user account is locked.
LockoutDuration: amount of time in minutes before a locked user account automatically unlocks.
SessionExpirationMinutes: number of minutes of activity allowed before a session is automatically expired.

For help or changes to these configurations, contact your account manager.

Setting external user inactive days

Administrators can change the number of days of inactivity for external users before a username expires. The recommended default value is 180. Setting the value to zero (0) means that external usernames will not expire.

Go to System Admin > Advanced > App Settings.
The App Settings form opens.
Locate the setting in the Miscellaneous fieldset: External User Inactive Days.
Change the value if applicable and click Save.