You have been redirected from an outdated version of the article. Below is the content available on this topic. To view the old article click here.

Password Policies

Structr supports various password policies to increase password security.

Settings

The following configuration keys can be configured via structr.conf or the configuration servlet (available under /structr/config if enabled in structr.conf).

security.passwordpolicy.forcechange

Indicates if a forced password change is active. Defaults to false.

security.passwordpolicy.maxage

The number of days after which a user has to change his password. Default is 90.

security.passwordpolicy.remindtime

The number of days (before the user must change the password) where a warning should be issued. (Has to be handled in application code). Defaults to 14.
Use the config() function to retrieve the value and show a warning.

security.passwordpolicy.maxfailedattempts

The maximum number of failed login attempts before a user is blocked. Default is 4. Can be disabled by setting to zero or a negative number.

security.passwordpolicy.resetFailedAttemptsOnPasswordReset

Configures if resetting the users password also resets the failed login attempts counter. Defaults to true. If set to false, the failed login attempt counter will not be reset when the user makes use of the “Reset Password” functionality. The intention would be that an administrative user has to manually “reset” a user account after it was blocked because of too many failed login attempts.

Login procedure

If security.passwordpolicy.forcechange is enabled, a user has to change his password every security.passwordpolicy.maxage days. If the password has not been changed im time, the login attempt will result in a status code 401 with the additional response header reason=passwordChangeRequired.
The date the password was last changed is stored in User.passwordChangeDate.

If a user has supplied the wrong login credentials security.passwordpolicy.maxfailedattempts times, the following login attempts will result in a status code 401 with the additional response header reason = loginAttempts. The number of failed login attempts is stored in User.passwordAttempts.

If the login happens through the integrated edit mode binding, the injected javascript will handle everything automatically and inform the user accordingly.

Search results for "Password Policies"

Security Settings

The Security Settings tab contains all settings controlling the security properties of a Structr application. In particular they include properties such as two factor authentication, password policies and let’s encrypt configurations. The Security Settings are subdivided into the following subsections: