1. Password strength

    Article: AN0002335Updated: 02.04.2019

    When authentication by name and password is used, password strength is imported for security reasons. Administrator can influence required password strength by three parameters in the web.config file. It is a total password strength, minimal password length (number of characters in the password) and minimal count of special characters. In the  web.config you can set these parameters:  MinPasswordScore, minRequiredPasswordLength a vminRequiredNonalphanumericCharacters.

    Algorithm for determining password strength takes into account these parameters:

    • length of the password (number of characters)
    • repetition of characters in the password
    • use of upper and low case characters
    • use of numerical characters
    • use of special characters: .*[!,@,#,$,%,^,&,*,?,_,~]

    If you do not set another values for above characters, ObjectGears will work with these values:

    • MinPasswordScore = 75
    • minRequiredPasswordLength = 7
    • vminRequiredNonalphanumericCharacters = 1

    Password expiration

    The password should be changed time to time due to security reasons. This is faciliated by the parameter MaxPasswordValidInDays in the file web.config. If the parameter is defined (its value is greater than 0), then the password is checked for its last change at the time of user logon. In case that the password is older than the above parameter defines, user is not permitted to logon before changing his/her password.

    Ten days before password expires, user is informed at login about approaching password expiry. User can then change the password in advance.

    Password expiry is checked only in case of authentication by user name and password. In case of domain authentication password expiry is not checked.