Account policies#

User account policies on EclecticIQ Intelligence Center allow you to set password requirements and other policies to regulate how users authenticate.

Configure user account policies by going to Settings Settings > System settings > Account policy.

Caution

Only affects local user accounts provisioned directly on the EclecticIQ Intelligence Center user database. User accounts provisioned through external authentication systems such as LDAP and SAML are not affected by these options.

Avoid mixing in an EclceticIQ Intelligence Center instance local user accounts and user accounts provisioned through external authentication systems.

See Managing external users.

Account policy options#

Select Edit account policy to change account policy options.

Once you’ve finished editing account policy options, select Save to save your changes.

Account policy options available:

Password

Policy

Description

Minimum length

Default: 10 characters

Set a minimum number of characters for new passwords.

At least one number

Default: Yes

If enabled, new passwords must contain at least one number ([0-9]).

At least one special character

Default: Yes

If enabled, new passwords must contain at least one special character ([!@#$%^&*(),.?":{}|<>]).

At least one capital letter

Default: Yes

If enabled, new passwords must contain at least one upper-case letter ([A-Z]).

By default, users cannot set passwords that:

These defaults cannot be changed.

Locked account

Policy

Description

Maximum number of failed attempts

Default: 5

Set the number of times a user can fail to authenticate before their account is locked.

Locked accounts must be unlocked by an administrator to restore access.

Two factor authentication (2FA)

Policy

Description

Users can only log in if they have configured two factor authentication

Default: No

When set to Yes, requires all users to set up two factor authentication (2FA) for their account the next time they log in if they have not already set it up.

Allow users to choose the option “Do not ask me for N days”

Default: Yes

When set to Yes, provides a “Do not ask me for N days” option when a user is asked to sign in using their two factor authentication code. Users can then select “Do not ask me for N days” to allow them to sign in without needing to provide a two factor authentication code for N number of days.

Number of N days

Default: 14

Available only if Allow users to choose the option “Do not ask me for N days” is selected. Set the number of days (N) in “Do not ask me for N days”.

Appendix#

Storing password and other credentials#

EclecticIQ Intelligence Center stores passwords and credentials in two ways:

  • Environment variables store mainly credentials to access external systems and services, as well as deploy-specific data such as hostname, ports, and URIs.

  • The PostgreSQL database stores hash values of Intelligence Center user passwords. Passwords are hashed with pbkdf2:sha256 algorithms.

    The database stores also secrets to access third-party APIs. This data is never exposed through EclecticIQ Intelligence Center API.

General password guidelines#

Follow these guidelines to define a strong password:

  • It should be between 10 and 64 characters long.

  • It should contain at least one uppercase alphabetic character.

  • It should contain at least one special character

  • It should contain at least one number.

  • It should not reuse a previous password.

  • User password history logs the previous 100 passwords.

  • It should not be on NBP, the NIST Bad Passwords list.

  • It should not include the user name it is associated with.

For more information, see the NIST digital identity guidelines.

Lock, unlock, force password reset#

For ways to directly interact with a user account (e.g. to lock a user account or to force a password reset), see Manage users.