Password Policies
Structr supports various password policies to increase password security.
Settings
The following configuration keys can be configured via structr.conf or the configuration servlet (available under /structr/config
if enabled in structr.conf).
security.passwordpolicy.forcechange
Indicates if a forced password change is active. Defaults to false
.
security.passwordpolicy.maxage
The number of days after which a user has to change his password. Default is 90
.
security.passwordpolicy.remindtime
The number of days (before the user must change the password) where a warning should be issued. (Has to be handled in application code). Defaults to 14
.
Use the config()
function to retrieve the value and show a warning.
security.passwordpolicy.maxfailedattempts
The maximum number of failed login attempts before a user is blocked. Default is 4
. Can be disabled by setting to zero or a negative number.
security.passwordpolicy.resetFailedAttemptsOnPasswordReset
Configures if resetting the users password also resets the failed login attempts counter. Defaults to true
. If set to false, the failed login attempt counter will not be reset when the user makes use of the “Reset Password” functionality. The intention would be that an administrative user has to manually “reset” a user account after it was blocked because of too many failed login attempts.
Login procedure
If security.passwordpolicy.forcechange
is enabled, a user has to change his password every security.passwordpolicy.maxage
days. If the password has not been changed im time, the login attempt will result in a status code 401
with the additional response header reason=passwordChangeRequired
.
The date the password was last changed is stored in User.passwordChangeDate
.
If a user has supplied the wrong login credentials security.passwordpolicy.maxfailedattempts
times, the following login attempts will result in a status code 401
with the additional response header reason = loginAttempts
. The number of failed login attempts is stored in User.passwordAttempts
.
If the login happens through the integrated edit mode binding, the injected javascript will handle everything automatically and inform the user accordingly.