Skip to main content
Version: 1.28.2

Password Policy and Configuration

Password Policy

The "out-of-the-box" version includes a password policy that requires passwords to be at least 8 characters long and contain numbers (0-9) and both uppercase and lowercase letters. When the policy is disabled, the system enforces two restrictions:

The password must be at least 6 characters long.

The password cannot consist solely of whitespace characters such as space, tab, newline, and other.

Enabling or disabling the policy applies only to new passwords. Previously created passwords will remain valid.

Login Attempt Settings

The "out-of-the-box" platform version is configured to handle authentication attempts in case of incorrect login and/or password input.

By default, each second failed login attempt increases the lockout time by 5 seconds. Each subsequent failed attempt will increase the wait time before the next login attempt.

After three failed login attempts, and after every second subsequent attempt, the Log in button will be disabled.

Read more about the authorization and delay intervals in the Authorization properties article.

Password Retrieval

There are several ways to set up a password retrieval:

  • To set up a password reset via the "out-of-the-box" authorization widget, use the necessary system properties.
  • If a custom widget is used for authorization, it is necessary to set the parameter for the <authfull> SimpleTag.
  • You can also change a user's password in their record. You can combine this with logging the user out on all devices.

Authorization widget

Enable password retrieval

Use the simple.passwordreset.enabled system property to enable the password retrieval link on the portal login page, and perform the following steps:

  1. Navigate to Portal Structure → Widget Instance.
  2. Open the Authorization Widget record.
  3. Edit the Schema option values value:
    • Specify the true value for the passwordResetEnabled option.
note

The password reset email contains the following link:

<a href="{instance.uri.without.scheme}/new-password/{password.reset.token}">Your new password</a>

Specify the password.reset.token value in the Password reset token field for the user who retrieved a password.

Use simple.user.password_reset_token_expiry property to define the password reset expiration period in seconds. To set up the period, complete the following steps:

  1. Navigate to System Properties → All Properties.
  2. Find the simple.user.password_reset_token_expiry property using the list search boxes and open it.
  3. Edit the Value field, specify an expiration time.
  4. Click Save or Save and exit to apply changes.

The following messages appear on the widget in case the password retrieval failed:

  • Access denied. This error occurs when attempting to retrieve a password on the /reset-password page with the simple.passwordreset.enabled system property disabled.
  • Wrong password reset token. This error occurs when attempting to reset a password after the expiration of the reset token. Set the life period of the token in the simple.user.password_reset_token_expiry property.
note

Resetting the password on the /reset-password page deletes all of the user's tokens. Consequently, all of their sessions get terminated.

Edit the email body regarding the changed password

Edit the email.reset_password.subject and email.reset_password.email_body system property values to change the password retrieval email subject and body.

Use the email.reset_password.unchanged_password property to edit the body of the email about an unchanged password.

To change system values, follow the steps below:

  1. Navigate to System Properties → All Properties.
  2. Find the property you need using the list search boxes and open it.
  3. Edit the Value field.
  4. Click Save or Save and exit to apply changes.

Change the link text

To change the Forgot Password link text, edit translations of the relevant source message. To do so, complete the steps below:

  1. Navigate to System Localization → Source Message.
  2. Find the necessary source message using the list search boxes.
  3. In the Related Lists are, select the Messages tab, open the message record or use the inline-edit functionality to edit messages.
    • If you open the message form, click Save or Save and exit.

warning

Do NOT change the Source Message value when editing messages. Otherwise, it may lead to errors.

Customize the SimpleTag

To set up a custom authorization widget, perform the following steps:

  1. Open the custom login widget record.
  2. In the <authfull> tag, set isResetPassword = true to enable password retrieval. The default value of the parameter is false.

As a result, the widget form will contain a password reset link.

Change password in a user record

You can change a user's password in their record. To do so, follow these steps:

  1. Navigate to User AdministrationUsers → the required User record.
  2. Enter a new password in the Password field.
  3. If needed, select the Log out on all devices checkbox.
  4. Click Save or Save and Exit to apply the changes.

The user will be notified of the password change by email.

Log out on all devices

The Log out on all devices checkbox appears when you change the value in the Password field.

  • If you select this checkbox and apply the changes, the user will be logged out from their account on all the devices where they have an active session. All of their tokens will be deleted. The system will redirect the user to the login page so that they can log in with the new password.
  • If you change the password without selecting the checkbox, all of the current user sessions will continue. The user will only need to log in with their new password after they log out or the current sessions expire.