Password Policies

Information

You can implement various password policies to help increase the security of your Issuetrak site. Behind the scenes, Issuetrak uses substantial protections to avoid the compromise of sensitive customer data. Different mechanisms are employed based on the nature of each category of data (more information on this can be found below)

Steps

To activate your system's password options and policies:

1

Navigate to Administration > System > System Settings > Password Policy.

2

To allow users to initiate password changes, select “Activate Self Service Password Reset.” Once activated, users with “Can change their own password” permissions may change their password from Home > My <site name> > Change Password. All users will see a “Forgot your password?” link on the Login screen. When using this link, users with proper permissions (and an email address within their user record) are emailed a secure link that will walk them through changing their password (the link be active for the number of hours configured here).

3

Select/enter any additional password settings that should be applied to user passwords, such as mixed case, expiration periods, unsuccessful attempts before lockout, etc.

If using the AD Module, password policies within AD will be enforced for users authenticated by AD.

10.3passwordpolicy.png
4

To send email notifications on lockout events, click the “add recipient” link in the ‘Lockout List’ section. The Add Recipient screen will open in a separate window. Enter an existing user ID in the ‘User ID’ field or click the user search () next to this field to select from users with an email address in their user record. Or if the recipient is not an Issuetrak user, enter the email address in the “Email Address’ field. Click Save on the Add Recipient screen. Repeat these steps for each recipient.

5

Click Update.

10.3password5.png

The message Parameters successfully updated will then appear.

More Information

Application user account passwords are secured with the NIST-recommended PBKDF-2 function, with an iteration count that exceeds current recommended standards, and that continues to increase automatically as time progresses. For each new password stored, a new, cryptographically random 64-byte salt is generated and supplied to the function along with the plaintext password. The hash used in the function is SHA-512. Password hashes are retained only as long as the site administrator has configured, and plaintext passwords are never sent to the database.

Passwords for connecting to external servers (such as mail servers and Active Directory servers) are encrypted with AES-256 in CTR mode using HMAC for authentication, using the SHA-384 algorithm. Keys are generated as sets of cryptographically random 32-bytes. During use, these keys are stored as DPAPI-encrypted nodes within the ASP.NET website's “web.config” file.

All encryption libraries used are professionally audited.


Applies To:

Issuetrak 10.3+