Enhanced eWeb Password Security
NetForum has enhanced the eWeb Login security for its user by implementing Login security related features for eWeb. To get access to eWeb Login Security Settings page, you must have administrator privileges. Only admin can control or alter the level of Login security settings for its organization or association users. Below section describes the features available for eWeb Login Security and how to implement it.
To access eWeb Login Security Settings, complete the following steps:
- Login iWeb with Admin credentials.
- Go to Admin module, scroll-down and expand eWeb Login Security group item.
- Click eWeb Login Security Settings group item link.
Alternatively, you can access this page from: Admin module > Overview group item > Overview group item link. From the Overview page, and under the Management Tools section, click eWeb Login Security Settings link.
This will display eWeb Login Security Settings window.
Account Lockout Policy
On the eWeb Login Security Settings window, you will find Account Lockout Policy section on top. Using Account Lockout Policy feature, you can set number of failed logon attempts before user account gets locked out. The purpose of this feature is to prevent anybody who tries to login with random passwords.
- On the eWeb Login Security Settings window, under the Account Lockout Policy section, select the Enabled? check box to make this feature enabled. Once the check box is selected you will be able to update the Number of failed Logon attempts before lockout field as per your need. The default value for this field is 5 and the selection range available is from 1 to 12.
To unlock the eWeb user account which was locked due to failed attempts, complete the following steps:
- Open the individual or organization profile for which you want to unlock the account.
- Click Edit menu from the top navigation bar. From the displayed list click Web login info link. This will display Edit Web Login Information page.
- Scroll-down to Access Information section. A Web Login Locked? check box field will be checked.
- Clear the Web Login Locked? check box to unlock the eWeb account.
Note: Whenever the eWeb user account gets locked out, Web Login Locked? check box gets auto-checked.
Password Expiration Policy
Password Expiration Policy controls the password expiration days for the eWeb users, which allow users to access the eWeb account for some specific days with same password. These specific days can be set by an Administrator. Based on the Organization needs admin can enable or disable this feature and set a term (in days) for Password expiration.
If the Password Expiration Policy is enabled, and the Password expiration term (in days) is set to any number with in the specified range, let say 45, then the eWeb user account will gets expired after 45 days from the last password updated. And when the user tries to login to eWeb account with the current login credentials, it will give "Password has expired. You must reset your password to access the site." message. User will be asked to reset the password.
Note: Password expiration term range is from 1 to 90 days; admin can set any number within this range as per their organization need. If tried entering any number other than the specified range, it will give "Only whole numbers from 1 to 90 are allowed." message.
Require Strong Passwords
This feature contains Password Complexity and Password Reuse Policy section. Password Complexity will guide user to set a strong password in number of ways, explained below. Password Reuse Policy will restrict user to set again the previously used passwords. Admin can set or alter the strong password settings based on their organization needs. Purpose of adding this feature is to safe guard the user's eWeb account from unknowns trying to access their eWeb account with simple and random passwords. Once this feature is enabled and when the user tries to reset the password to any simple ones like 1234 or ABCD, system will give message stating the password does not meet the minimum strong password requirements and ask them to sat a password that meets the minimum requirements.
To enable the strong setting feature, select the Enabled? check box under the Require Strong Passwords fields. When enabled, it allow the Password Complexity and Password Reuse Policy sub-settings to be in editable state. Refer below section for information on how to implement and update it as per organization's requirement.
Password Complexity
Password Complexity contains five selection fields which includes a field for Minimum Password Length and four check boxes for different types of characters to be used for setting a strong password.
The default value form Minimum Password Length is 10 and the selection range available is from 8 to 50.
Note: If you try to enter any value other than from the specified range it will give "Only whole numbers from 8 to 50 are allowed" message.
Four check box under the Password Complexity sub-settings can be used to make password level complex. This will force the user to use the different characters for setting their eWeb password. Depending on your organization's need, admin can either select any of them, or in any combination, or all. It is recommended to use all the four check boxes to increase the complexity of password pattern and lower the security risk of password misuse.
The supported special characters that can be used for setting the eWeb password are available under the At least one special character required? check box field. The default special characters are: @, !, #, $, % (not including commas).
Note: NetForum will not support any characters other than alpha, numeric, and the list of special characters predefined. The special character list applies to the password whether you set the special characters to on or off.
Admin can add or remove special characters as needed by using the EWebLoginSupportedSpecialChars system option. If any special character added or deleted in this system option, it will reflect in the list of Supported special characters (highlighted in the above screenshot) under Password Complexity section.
Password Reuse Policy
Password Reuse Policy section contains a Number of passwords to remember field, which allows you to set a number of previous passwords to be remembered by the system and use this history to restrict the user who tries to reset again the used password. The system keeps the record of previously used passwords and use it to guide the user while resetting passwords.
The default value for number of old passwords to remember is 6 and the selection range available is from 4 to 12.
Password Reuse Policy section also has a note at the bottom which states that password cannot contain the eWeb login or email address of the eWeb user.
Note: The minimum strong password requirements for setting a strong password will be displayed on eWeb page when user fails to reset a strong password. This will guide the user to set a strong password.