Password policy

Introduction

A strong password is the first-level defense against any unwarranted intrusion or breach. Therefore, it is imperative to have a very strong password meeting the criteria set by the admin/security team. The password policy must be strictly enforced as a necessary security measure and as a first-level protection. The following is the password criteria that should be met by all users of your tenant.

Requirements

The user must have Admin access to make these changes. These features are applicable to Employees, Client portal users, and API users 

Steps to set new password policy with the new UI

Admins can now set password and account policies for their tenant users. Navigate to Admin > Security > Password Policy. The following steps outline how to set the policy in the new UI. 

Login Attempts

  1. Number of consecutive failed login attempts allowed before disabling account: Enter 5. You can customize this number.
  2. Length of time to disable account after max login failure exceeded: Enter 30 mins. This is the default duration. You can customize this duration. Zero value will throw a validation error.

Password Strength

  1. Require password change every 180 days. You can customize this. Also, admin users do not have to mandatorily set this. Admin users can leave this box blank.
  2. Enforce minimum password length 8 characters. You can customize this.
  3. Prohibit password reuse for 5 passwords. You can customize this.
  4. Click Save. A success message will appear at the top when you save the changes.

Character Requirements

See the UI for character requirements. You will find an elaborate note.

Password criteria

Length

  • Password's length must be a minimum of 8 characters. A validation error is shown if the minimum value is not met.

Permitted characters

  • Password must consist of at least one uppercase, lowercase, numeric and special characters. (See the UI on Password Policy page for a list of special characters.)

Forbidden words/characters

  • Password should not contain usernames, first name, last name, dictionary names or no concurrent duplicating characters.
  • Password must not have 8 like characters from the last password.

Password reuse

  • The last 5 passwords should not be reused.

Password rotation

  • By default, password rotation can be enforced for 180 days. Admins can change this. However, this field is not a mandatory setting. Admin users have the option of leaving this field blank.

Account lockouts

  • There will be limit of 5 wrong password attempts before user is locked out. By default, the account will be locked for 90 minutes.

Users will be emailed if their account has been locked out. Users can wait for the specified time or contact the admin to unlock the account.

Setting a policy with the current UI

Set the options as described in the image above and click Save. This will help you to be compliant until the new policy kicks off on Dec 10th. A success banner shall appear at the top when changes are saved successfully. 

Modules

This change is implemented in the following places.

  • New Tenant signups

  • New User setup

  • Reset password page

  • Forgot password page

  • Client portal user creation and reset

  • Support accounts

  • Outbound logs

  • Templates

New tenant signups

When a new MSP is onboarded to BMS, they will have to activate their tenant. The customer will receive an email with tenant details and activation instructions. 

Activation link screen

  • Once a user receives the Signup email the email will contain Tenant’s name, the username, and the Activation link.

  • The root user/tenant admin can create the first and last name and a password and signup to the tenant.

  • Once the account is created, the user will be logged in to BMS.

  • The activation link will automatically  expire in 7 days
  • Password should meet the policy requirements set by the admin of your tenant.



New user/Client Portal setup

  • When an admin creates a new employee via HR/API, they will no longer be getting the passwords in the email.

  • They will receive create password link which will be active for 24 hours.

  • Users will click on the link and be prompted to set a new password.

  • Password should meet the policy requirements set by the admin of your tenant.
  • The same applies to contacts created as Client portal users under CRM > Contacts > Client portal user: Yes

Reset/Forgot Password page

Forgot password

User can change their password using the reset password screen. 

  • On the login screen, click on Forgot password, and enter user details.

  • They will receive create password link which will be active for 24 hours.

  • Users will click on the link and be prompted to set a new password. 

  • Password should meet the policy requirements set by the admin of your tenant.

Admin reset 

Admins of your tenant can send reset instructions from

  • HR > Employees > Select employee > Reset and Send instructions
  • CRM > Contacts > Client portal user : Yes > Choose contact > Reset and Send instructions 
  • End-user will get email instructions.

     






Support accounts

When the user enables a support account for their tenant, an email will be sent with the following data to Kaseya technicians who work on their issue.

  • The system will be sending an encrypted link, that will auto-login Kaseya technicians.

    • Anyone who has access to the link can click on it and auto-login. The link will expire once the activation time set by the customer is reached. Support will have to re-request to enable the account.

    • Expiry duration will be part of the email.

  • Enabling support account process will remain the same.

    • Admin > My Company > Company Settings > Support User > Activate

Outbound Email

  • For every email sent for new users creation, reset password, or support account a corresponding log is created in Admin > Logs > Outbound Email.
  • The email will contain the same instructions and the password reset link.
  • Users with the SSO authentication type will not receive any emails.
  • MFA setup will have no change.

Email Templates

Admin > Business Process > Email templates 

  • %Password% field will be automatically replaced with the reset link. Anyone with the template using the Password field will see the Reset link on their end.
  • These templates can be used under Admin > My Company > Company Settings > User account. 

API users

Users with API user type access can now create a password of their choicstyle="color:#0086e6" e using the reset password screen.

  • Navigate to the gateway link, enter your username and choose reset password OR
  • Admins can select the API user and chooseReset and Send instructions.
  • API users will receive the link to change or create the password.
  • Create your new password and use this to authenticate your API calls.
  • API user type will not be able to login into the system. UI access is limited to the reset/create password screen.

  • API users will need to have a valid email for this to succeed.