Configure Password Change
FintechOS Platform provides you with various options to configure password change:
- set the period of time (in hours) to pass until users are able to change their password.
-
set the period of time (in days) allowed before a password must be changed.
- configure password change based on the password history.
Setting password minimum age
The minimum password age setting determines the period of time (in hours) that a password can be used before the users can change their password.
To set the password minimum age, on the server where the FintechOS Platform installation package resides, add the following:
In Vault secrets:
| Key Path | Key Name | Key Value |
|---|---|---|
| kv/<environment>/<application>/app-settings | core-setting-ebsauth-password-min-age | 24 |
Where value is the number of hours until users can change their password.
If value is empty or a negative value or the key is missing from web.config the minimum password age is set to 0 hours allowing immediate password changes, which is not recommended.
When using the minimum password age, we recommend you to configure the password history as well. This way you prevent users to changing their password with the same password.
(Deprecated) Add password minimum age key in web.config files:Setting password expiry
The maximum password age setting determines the period of time (in days) that a password can be used before the system requires the user to change it.
| Key Path | Key Name | Key Value |
|---|---|---|
| kv/<environment>/<application>/app-settings | core-setting-ebsauth-password-max-age | 30 |
Where value is the number of days allowed before a password expires and should be changed. The maximum number of days is limited to 999. If value is empty, 0 or a negative value or the key is missing, the password expiration feature is disabled, that is, the password never expires, which is not recommended.
If the user tries to authenticate with an expired password the login page will provide the user with the option to reset the password only if the reset password feature is enabled.
Configuring password change based on password history
FintechOS Platform provides you with the password history features which allows you to set whether a new password is checked against passwords stored in the user's password history. This prevents the user from re-using a recently used password.
To configure the password change to take into consideration user's password history, on the server where the FintechOS Platform installation package resides, go to the Vault and add the following secret:
| Key Path | Key Name | Key Value |
|---|---|---|
| kv/<environment>/<application>/app-settings | core-setting-ebsauth-password-history-depth | 5 |
Where value is the number of historical passwords that will be checked when a user tries changing the password. If the user tries to set one of the old passwords then the system will forbid user to use that password. If value is empty, 0 or a negative value or the key is missing from the web.config file, the password history feature is not enabled (i.e. the user can change the password with the same password).
Setting password about to expire notifications
You might want to remind users that they should change their passwords within x days before their password expired. FintechOS allows you to set such a notification to be shown on a web page and also customize the notification message.
To set the password expiry notification, on the server where the FintechOS Platform installation package resides, go to Vault and add the following secret:
| Key Path | Key Name | Key Value |
|---|---|---|
| kv/<environment>/<application>/app-settings | core-setting-ebsauth-password-about-to-expire-days-until-expiration | 30 |
If the number of days until the password will expire is less than the value specified, a page with the remaining days will be shown.
The notification message is localizable, so in order to be properly interpreted by the system, make sure that the text is a json array.
To customize the notification message ,add the following secret in Vault:
| Key Path | Key Name | Key Value |
|---|---|---|
| kv/<environment>/<application>/app-settings | core-setting-ebsauth-password-about-to-expire-meesage | [{'en-GB':'Password will expire in {10} days.'},{'ro-RO': 'Parola va expira in {10} zile.'}] |
When the language is set to Romanian the message will be : "Parola va expira in {10} zile.", where {10} is the number of days until the password will expire.
The Server SDK function usersAboutToExpirePasswords(int passwordExpireDaysMax) enables you to get the list of users for which the password will expire in 'passwordExpireDaysMax' days or less.
Skipping the password expiry rule for specific security roles
To set password never expire for users who have specific security roles, add the following secret:
| Key Path | Key Name | Key Value |
|---|---|---|
| kv/<environment>/<application>/app-settings | core-setting-ebsauth-password-expired-excepted-role | securityRole |
The users with the security role specified in the value will never have to reset the password due to the password expiry rule.