Configure account policies#

Configure account policies to enforce strong user passwords and to prevent password tampering.

Intelligence Center administrators may want to configure security policies to mitigate bad practices such as weak user passwords or brute force password tampering.

They can use the Account policy section to define specific criteria Intelligence Center user account passwords need to satisfy to be valid, as well as the maximum number of failed sign-in attempts that triggers locking an account.

  • In the side navigation bar click Settings > System settings > Account policy.

  • In the Account policy view, click Edit settings.

  • In the Edit account policy settings view, edit and set the criteria defining valid passwords, and the account lock policy.

Caution

Account policy options and settings affect only Intelligence Center-managed user access.
They control only user accounts created through EclecticIQ Intelligence Center user management feature.

If EclecticIQ Intelligence Center delegates user access management to an external authentication mechanism such as LDAP or SAML, Account policy options and settings are not available, because in this case account policy management relies on the external authentication mechanism.

It is preferable not to mix LDAP or SAML users with local users in the Intelligence Center.

If you create local users in EclecticIQ Intelligence Center, and then import LDAP or SAML users, LDAP or SAML users override the local ones.

About passwords#

Storing password and other credentials#

EclecticIQ Intelligence Center stores passwords and credentials in two ways:

  • Environment variables store mainly credentials to access external systems and services, as well as deploy-specific data such as hostname, ports, and URIs.

  • The PostgreSQL database stores hash values of Intelligence Center user passwords. Passwords are hashed with pbkdf2:sha256 algorithms.

    The database stores also secrets to access third-party APIs. This data is never exposed through EclecticIQ Intelligence Center API.

Password guidelines and limitations#

Follow these guidelines to define a strong password:

  • It should be between 10 and 64 characters long.

  • It should contain at least one uppercase alphabetic character.

  • It should contain at least one special character

  • It should contain at least one number.

  • It should not reuse a previous password.

  • User password history logs the previous 100 passwords.

  • It should not be on NBP, the NIST Bad Passwords list.

  • It should not include the user name it is associated with.

For more information, see the NIST digital identity guidelines.

Set password criteria#

In the Password section of the view you can set the minimum password length, as well as any special characters a password must include to be valid.

Length – Minimum length: enter an integer to set the minimum length an account password must have to be valid.
The allowed integer range is between 8 and 64 included. A valid password cannot be shorter than 8 or longer than 64 characters.

Required characters: select one or more checkboxes to enable the corresponding password character requirements:

  • At least one number: select this checkbox to require a valid password to include one or more digits ([0-9]).

  • At least one special character: select this checkbox to require a valid password to include one or more special characters ([!@#$%^&*(),.?":{}|<>]).

  • At least one capital letter: select this checkbox to require a valid password to include one or more uppercase alphabetic characters ([A-Z]).

Save options#

After configuring the account policy settings, you can save, discard, or reset your changes:

  • To store your changes, click Save; to discard them, click Cancel.

  • Click Reset settings to replace any custom settings with the default Intelligence Center configuration values for this section.

Note

When you modify or update the settings in Account policy, policy changes are applied Intelligence Center-wide.

After saving the account policy configuration changes, all Intelligence Center users receive a notification prompting them to change their passwords to comply with the updated account policy criteria.

Force a password reset#

An administrator, or a non-admin user with read users and reset password Permissions, can request a password reset for an account.

For example, this can occur if a user account is compromised.

To force a password reset:

  1. In the side navigation bar click Settings, and select User management.

  2. In the Users view, click More in the row corresponding to the user whose password you want to reset.

  3. Select Force password reset.

  4. If the user is currently logged in, they are automatically logged out, and they receive an email notification with instructions to reset and change their password.

    The user account status changes from Active to Password reset.

Alternatively:

  1. In the side navigation bar click Settings, and select User management

  2. In the Users view, click anywhere in the row corresponding to the user whose password you want to reset.

    The Edit user view is displayed.

  3. In the top-right corner click More, and select Force password reset.

  4. If the user is currently logged in, they are automatically logged out, and they receive an email notification with instructions to reset and change their password.

    The user account status changes from Active to Password reset.

If the user is automatically logged out, a pop-up is displayed to notify them.

They need to reset their password before they can sign back in to the Intelligence Center.

Lock a user account#

Administrators can configure accounts to automatically lock users out after a predefined number of consecutive unsuccessful sign-in attempts.
This measure prevents account tampering, and it mitigates brute-force attacks.

To set accounts to automatically lock after repeatedly failing to sign in:

  1. In the side navigation bar click Settings, select System settings, and then click Account Policy.

  2. At the bottom of the Account Policy view, click Edit account policy.

  3. In the Edit account policy settings view, edit and set the criteria defining valid passwords, and the account lock policy.

  4. Under Locked account , enter an integer in the Maximum of failed attempts field to set the allowed maximum number of failed sign-in attempts for a user account.
    This setting defines how many consecutive failed sign-in attempts users are allowed to attempt before automatically locking their account.

    To unlock a locked account, users need to contact the Intelligence Center administrator for assistance.

Unlock a user account#

Intelligence Center administrators or non-admin users with the lock/unlock users permission can unlock locked user accounts to restore access to EclecticIQ Intelligence Center for the affected users.
To unlock a locked account:

  1. In the side navigation bar click Settings, and select User management.

  2. In the Users view, click More in the row corresponding to the user whose account you want to unlock.

  3. From the drop-down menu select Unlock.

When an administrator unlocks a user account, EclecticIQ Intelligence Center sends email notifications to confirm the action:

  • The administrator is notified that one or more user accounts have been unlocked, and that the corresponding users have regained access to EclecticIQ Intelligence Center.

  • The user is notified that their locked account has become unlocked, and that they can sign in to EclecticIQ Intelligence Center to resume their work as usual.