Password Policies

You can implement various password policies to help increase the security of your Issuetrak site. Behind the scenes, Issuetrak uses substantial protections to avoid the compromise of sensitive customer data. Different mechanisms are employed based on the nature of each category of data (more information on this can be found below).

Password policies only affect user accounts that use Issuetrak authentication, and do not apply to any third-party authentication methods.


 

Applying Password Policies

Steps:

To activate your system's password options and policies:

  1. Click the gear icon in the upper right > click on Password Policy beneath System.

  2. To require users to configure and use Multi-factor Authentication (MFA), select Require Multi-factor Authentication.

    Important information noted above this option in the UI:  

    Multi-factor Authentication (MFA) adds an additional layer of protection against compromised accounts. Requiring MFA ensures that all Issuetrak authenticated users gain this extra protection.
    Once this option is enabled, users must have MFA set up or Outgoing Email must be enabled. If a user doesn't have MFA set up, but has an email address and Outgoing Email is enabled, a One-Time-Password will be sent to the user when logging in to facilitate MFA. Users who do not have MFA set up and don't have an email address (or Outgoing Email is not enabled) will not be able to log in.

     
  3. To allow users to initiate password changes, select Activate Self Service Password Reset.
    • Once activated, users with “Can change their own password” permissions may change their password by clicking on their User ID in the upper right > selecting Change Password from the drop-down.

    • All users will see a “Forgot your password?” link on the Login screen. When using this link, users with proper permissions (and an email address within their user record) are emailed a secure link that will walk them through changing their password (the link will be active for the number of hours configured here).

  4. Select/enter any additional password settings that should be applied to user passwords, such as mixed case, expiration periods, unsuccessful attempts before the lockout, etc.

Outgoing Email must be activated for the Self-Service Password reset to function.

  1. To send email notifications on lockout events, click the “+ add recipient” link in the Lockout List section. The Add Recipient screen will open in a separate window.

    • Enter an existing user ID in the User ID field or click the user search (🔍) next to this field to select from users with an email address in their user record.

    • Or if the recipient is not an Issuetrak user, enter the email address in the Email Address field.

    Click Save on the Add Recipient screen. Repeat these steps for each recipient.
  2. Click Update.

A confirmation message will appear when this process is complete.

If you change the password policy for your Issuetrak site, then it will not affect users until they need to change their password. Changing the password policy does not force users to change their password on next login if their current password doesn't meet the policy requirements.


 

More Information

Application user account passwords are secured with the NIST-recommended PBKDF-2 function, with an iteration count that exceeds current recommended standards, and that continues to increase automatically as time progresses. For each new password stored, a new, cryptographically random 64-byte salt is generated and supplied to the function along with the plaintext password. The hash used in the function is SHA-512. Password hashes are retained only as long as the site administrator has configured them, and plaintext passwords are never sent to the database.

Passwords for connecting to external servers (such as mail servers and Active Directory servers) are encrypted with AES-256 in CTR mode using HMAC for authentication, using the SHA-384 algorithm. Keys are generated as sets of cryptographically random 32-bytes. During use, these keys are stored as DPAPI-encrypted nodes within the ASP.NET website's “web.config” file.

All encryption libraries used are professionally audited.