Password Strength Logic


Special Note - Existing Passwords From Previous Ostendo Versions:


For sites migrating from a previous version of Ostendo where this new Password functionality did not exist, they can choose to implement advanced security or simply continue using their present password structure. Advanced Password options are either activate or inactive for a site in total.



Enforced Changed of Initial Password:


The concept of Password strength has been included with Update 243. Previously when the default password of 'pass' was initially set, users were never be forced to change this password which could leave sensitive areas of Ostendo exposed to users who should not have authority accessing.


Now by default, once a user logs on with the password of 'pass', if there are any Password Strength rules defined, Ostendo will force the user to change their password using the existing 'Change Password' screen (File -> Change Password). This ensures that all users will not be using the default password of 'pass' when they log on in future



Password Strength:


Ostendo now has the concept of setting and using a global password strength. This ensures that when a user sets their password, it is of enough strength the organisation requires.


A new screen 'Password Strength' screen (File -> System Configuration -> Password Strength) has been created for Administrators to defined their organisations default password strength attributes.


The minimal password strength attributes can be defined as follows:


    • Minimum Password Length: Minimum Password character Length (NB: The maximum length is 20 characters)
    • Requires Both Alpha and Numeric Characters: Select to force an Alpha Numeric password required
    • Requires Both Upper and Lowercase Characters: Select to force Upper and Lower case characters
    • At Least 1 Symbol Character: Select force at lease 1 Symbol character eg: !,@,%,$ etc.....
    • Default New User Password: This an override Default password to the standard password of 'pass' that is used when resetting a users password or when a new user is created. If you have Password Strength rules defined, ensure this default password 'Does NOT' meet these rules. This will ensure the user must change their password.


NB: If turning on 'ANY' Password Strength rules for the first time, ensure existing users initially log on with their existing password in UPPERCASE. They will then be prompted to change their current password if it does not meet the current Password Strength criteria.