farmerswife

Welcome
Login  Sign up

Setting up Password Policies

These new password policies apply "globally" to all "system owned" passwords.

fw Server-side within Setup:

- General tab > "Server Password"

- Users tab > each user > Modify User window > "Password"

- Projects tab > "Invoice / Close / Remove Password"

- Media Library > "Library Password"

- Financials > "Invoice Manager Password"

A new file named "default_password_policies.json" has been added to the farmerswife (fw) Server applications "system" folder, which is "text file in a JSON format". It can be opened and modified with any text edit program.

When editing this file, ensure you ONLY mark the default "0" values, and exchange these with your desired configuration.  

This file allows defining some password complexity rules for choosing a password, as well as configuring the option to lock users for a period of time after a specific amount of failed login attempts.

In Desktop Client > Toolbox > Settings > Server Setup, there is a new section called "Password Policies" showing the policies as configured from the file. Use the Reload button there to force apply changes from the file, to avoid restarting the server.

If the file is not a valid "JSON" or does not have the correct format, the fw Server application will re-load the built-in "default_password_policies.json" file, by overwriting any values changed on the previous no longer working file.

To configure your new "Password Policies", go to the fw Server's "system" folder and open the "default_password_policies.json" file. It contains this default text:


{

  "attempts": {

    "limit": 0,

    "lock": 0

  },

  "complexity": {

    "length": {

      "min": 0,

      "max": 0

    },

    "upper": 0,

    "lower": 0,

    "number": 0,

    "special": 0

  },

  "expiration": 0

}



The default for all options is "0" = OFF / disabled.

An explanation of these three configuration options:

Use 0 to disable.


1. "attempts" allows to configure both the allowed number of attempts to login and the following "lockout" time which the user (or "attacker") will have to wait to try and login again:

    attempts > limit: the number of login attempts

    attempts > lock: the number of seconds the account will remain locked


2. "complexity" allows to configure these "complexity rules" for the password:

    complexity > length > min: minimum number of characters the password should have

    complexity > length > max: maximum number of characters the password should have

    complexity > upper: number of upper case characters the password should have

    complexity > lower: number of lower case characters the password should have

    complexity > number: number of numeric characters the password should have

    complexity > special: number of special characters the password should have


IMPORTANT: These are the 14 supported and usable "special characters" on version 6.4: !@#$%^&*()_+/ and space


3. "expiration" allows to configure when the password will expire:

    expiration: number of days before the password should expire


To activate this functionality:

Once an "expiration > number of days ..." is configured, all "Active=Yes" users will be prompted to change their password on next login.

When connecting via fw Desktop Client application, the user will first get prompted to change the password and as he clicks "OK", he is presented with the set "Password Policy" rules. All set requirements first have to be met, before using the "OK" button will allow access to the system.

When connecting via iOS farmerswife app, Web Client or Mobile Web Client, the users can only be informed about the required "Password Policies" after the first attempt to set a new password.

Changing the password via the Modify User window (either through Server > Setup > Users tab, or Desktop Client > Object Manager), or via the Modify Password (Desktop Client > Settings > Miscellaneous, also presents the set "Password Policy" rules.

In Desktop Client > Toolbox > Settings > Miscellaneous > next to Modify Password, the user can see info on when password expires.

Did you find it helpful? Yes No