Password Security in DRS

Andrew Dotto Updated by Andrew Dotto

Purpose

This article is written to help you understand the password security policies available in DRS 6.

DRS 7 will be delivered with Single Sign On and MultiFactor Authentication


Password Security and Why It's Important

Password security is a crucial aspect of maintaining the integrity of your application. A strong password serves as the first line of defence against unauthorised access to your personal and sensitive information. Weak or easily guessable passwords can be compromised by malicious actors, leading to identity theft, financial loss, and reputational damage.

Using unique, complex passwords that are regularly updated, can significantly reduce the risk of a data breach. Furthermore, enabling Single Sign On Authentication Methods and keeping software and systems up-to-date with the latest security patches can provide an additional layer of protection.

By prioritising password security, you can safeguard your digital identity and prevent potential harm to yourself and others.


How does it work

DRS 6 provides two options for Password Security natively. LDAP Single Sign On using Basic or Kerberos integration, and built in Password Security parameters. This document will discuss each of the options to allow you to make the best choice for your implementation.


LDAP Single Sign On

LDAP Single Sign-On (SSO) enables users to access multiple applications and systems with a single set of login credentials, eliminating the need to remember multiple passwords.

This streamlined authentication process improves user experience, reduces password fatigue, and enhances security by limiting the number of potential entry points for attackers. By consolidating identity management, LDAP SSO also simplifies user administration, allowing administrators to manage access and permissions more efficiently. This results in increased productivity, reduced helpdesk calls, and a more secure and convenient user experience.

DRS 6 is currently only compatible with Basic and Kerberos LDAP SSO configurations.

To discuss implementing Single Sign On within your solution, please speak with your Account Manager.


Inbuilt Password Policies

DRS 6 is developed with several ways to help you harden and secure your DRS instance. Configuring these options can be done by contacting your OneAdvanced Support or Application Consultant.

 

Protection against multiple login tries

DRS can be protected against brute force password cracking. This kind of vulnerability is exploited by trying to connect to the application with different passwords thousands of times a minute with public password dictionaries.

If configured, DRS allows 3 consecutive login failures on every user login. After 3 tries, the account is disabled for 5 minutes by default. The account cannot be reactivated until the delay has passed. This delay is a configurable parameter.

After this first account lock, the user has 2 further tries. If the user fails again, the account is disabled and can only be reenabled by an authorised administrator.

This rule is applied on user login.

Password minimum length

By default, DRS requires passwords with a minimum of 6 characters. This parameter can be set to any value greater than 1 and is configurable to your security needs.

This rule is applied on user create and password update.

Password strength

Password strength is key in ensuring your application is robustly secured. DRS can be configured to provide a series of complexity rules which when combined, define the password complexity required by your users.

DRS can force the inclusion of:

  • Upper and Lower Case
  • Numbers
  • Special Characters

This rule is applied on user create and password update.

Passwords cycle

DRS can control and manage the password history of users. A value can be defined to set the number of historical passwords that cannot be used again for a user, starting from the most recent ones. DRS maintains a record of old passwords used, and as such, if this parameter is enabled after a period of product use, it will use previously stored passwords within it's policy application.

This rule is applied on user create and password update.

Password dictionary

A password dictionary can be used to forbid using most common unsecure passwords.

The dictionary can only be opened from inside the deployed FFAConnectorServices application. The dictionary content must be composed of one forbidden password per line. The control is case insensitive.

This rule is applied on user create and password update.

Password lifetime

A lifetime limit can be configured to ensure that passwords are changed regularly. This value must be greater than 1 and is measured in Days.

If the control is activated, and the password is expired, a user will be allowed to navigate through the Login Portal and to the Home page, but will be restricted from using all other parts of the application until a password reset or change has occurred.

This rule is applied on user create and password update.

Additional Password parameters

DRS can be also be configured to secure user accounts and passwords in the following ways;

  • Standard Users can be prohibited from changing their passwords. With this setting enabled, all password resets and changes will need to be completed by an authorised Administrator Account
  • All Users can be forced to change their password on first login. This is an optional parameter on user creation, however, this optional parameter can be applied as a forced requirement on all user accounts.

If you would like to discuss or enable any of these features, please get in contact with OneAdvanced Support, or your allocated Application Consultant.

Was this article useful?

Contact