Password Policies

You can implement various password policies to help increase the security of your Issuetrak site. Behind the scenes, Issuetrak uses substantial protections to avoid the compromise of sensitive customer data. Different mechanisms are employed based on the nature of each category of data (more information on this can be found below).


Applying Password Policies


To activate your system's password options and policies:

  1. Click the gear icon in the upper right > click on Password Policy beneath System.

  2. To allow users to initiate password changes, select Activate Self Service Password Reset.
    • Once activated, users with “Can change their own password” permissions may change their password by clicking on their User ID in the upper right > selecting Change Password from the drop-down.

    • All users will see a “Forgot your password?” link on the Login screen. When using this link, users with proper permissions (and an email address within their user record) are emailed a secure link that will walk them through changing their password (the link will be active for the number of hours configured here).

  1. Select/enter any additional password settings that should be applied to user passwords, such as mixed case, expiration periods, unsuccessful attempts before the lockout, etc.

Outgoing Email must be activated for the Self-Service Password reset to function.

If using the AD Module, password policies within AD will be enforced for users authenticated by AD.

  1. To send email notifications on lockout events, click the “+ add recipient” link in the Lockout List section. The Add Recipient screen will open in a separate window.

    • Enter an existing user ID in the User ID field or click the user search (🔍) next to this field to select from users with an email address in their user record.

    • Or if the recipient is not an Issuetrak user, enter the email address in the Email Address field.

    Click Save on the Add Recipient screen. Repeat these steps for each recipient.
  2. Click Update.

A confirmation message will appear when this process is complete.

If password policies are changed in such a way that would force a user to change their password, the user will not be prompted to change their password until they attempt to log in again. Based on the user session time out rules in the site and on the server, this may require the user to close all browser windows or log out from the site to trigger a log in action.


More Information

Application user account passwords are secured with the NIST-recommended PBKDF-2 function, with an iteration count that exceeds current recommended standards, and that continues to increase automatically as time progresses. For each new password stored, a new, cryptographically random 64-byte salt is generated and supplied to the function along with the plaintext password. The hash used in the function is SHA-512. Password hashes are retained only as long as the site administrator has configured them, and plaintext passwords are never sent to the database.

Passwords for connecting to external servers (such as mail servers and Active Directory servers) are encrypted with AES-256 in CTR mode using HMAC for authentication, using the SHA-384 algorithm. Keys are generated as sets of cryptographically random 32-bytes. During use, these keys are stored as DPAPI-encrypted nodes within the ASP.NET website's “web.config” file.

All encryption libraries used are professionally audited.