Bulletin: How EpiCenter Manages User Passwords
EpiCenter offers a set of built-in password complexity rules intended to enhance password security. EpiCenter customers may enable any subset of these rules to restrict user passwords. When no password rules are enabled, EpiCenter will allow users to choose passwords without restriction. Passwords may be of any length and contain any combination of character types (upper/lower case letters, numbers, or punctuation).
Password Rules Supported by EpiCenter
As of the release of EpiCenter version 3.5.18, the password validation rules are as follows:
- The password must be at least 8/9/10/12 characters (length to be selected by the customer).
- The password must contain 1-digit character.
- The password must contain at least 1 lowercase character.
- The password must contain at least 1 non-alphanumeric character.
- The password must contain at least 1 uppercase character.
- The password must not contain any whitespace.
- The password must not contain the person’s username, spelled either forward or backward.
- Lock account for a certain length of time after a certain number of failed login attempts.
- Length of time and number of failed login attempts must be specified by the customer.
- The password will expire after a certain number of days.
- The number of days must be specified by the customer.
If an organization enables one or more of the above password selection rules, EpiCenter will enforce all enabled rules for all new passwords. In other words, a chosen password must conform to every rule that has been activated. If any of the enabled rules is violated, the password is invalid and the system will disallow it.