Account policies#
User account policies on EclecticIQ Intelligence Center allow you to set password requirements and other policies to regulate how users authenticate.
Configure user account policies by going to Settings > System settings > Account policy.
Caution
Only affects local user accounts provisioned directly on the EclecticIQ Intelligence Center user database. User accounts provisioned through external authentication systems such as LDAP and SAML are not affected by these options.
Avoid mixing in an EclceticIQ Intelligence Center instance local user accounts and user accounts provisioned through external authentication systems.
Account policy options#
Select Edit account policy to change account policy options.
Once you’ve finished editing account policy options, select Save to save your changes.
Account policy options available:
Password
Policy |
Description |
---|---|
Minimum length |
Default: 10 characters Set a minimum number of characters for new passwords. |
At least one number |
Default: Yes If enabled, new passwords must contain
at least one number ( |
At least one special character |
Default: Yes If enabled, new passwords must contain
at least one special character
( |
At least one capital letter |
Default: Yes If enabled, new passwords must contain
at least one upper-case letter ( |
By default, users cannot set passwords that:
are one of their previous passwords
is on the NIST Bad Passwords list, based on guidance from NIST SP 800-63B.
These defaults cannot be changed.
Locked account
Policy |
Description |
---|---|
Maximum number of failed attempts |
Default: 5 Set the number of times a user can fail to authenticate before their account is locked. Locked accounts must be unlocked by an administrator to restore access. |
Two factor authentication (2FA)
Policy |
Description |
---|---|
Users can only log in if they have configured two factor authentication |
Default: No When set to Yes, requires all users to set up two factor authentication (2FA) for their account the next time they log in if they have not already set it up. |
Allow users to choose the option “Do not ask me for N days” |
Default: Yes When set to Yes, provides a “Do not ask me for N days” option when
a user is asked to sign in using their two factor authentication code.
Users can then select “Do not ask me for N days”
to allow them to sign in without needing to provide a
two factor authentication code for |
Number of N days |
Default: 14 Available only if
Allow users to choose the option “Do not ask me for N days”
is selected.
Set the number of days ( |
Appendix#
Storing password and other credentials#
EclecticIQ Intelligence Center stores passwords and credentials in two ways:
Environment variables store mainly credentials to access external systems and services, as well as deploy-specific data such as hostname, ports, and URIs.
The PostgreSQL database stores hash values of Intelligence Center user passwords. Passwords are hashed with
pbkdf2:sha256
algorithms.The database stores also secrets to access third-party APIs. This data is never exposed through EclecticIQ Intelligence Center API.
General password guidelines#
Follow these guidelines to define a strong password:
It should be between 10 and 64 characters long.
It should contain at least one uppercase alphabetic character.
It should contain at least one special character
It should contain at least one number.
It should not reuse a previous password.
User password history logs the previous 100 passwords.
It should not be on NBP, the NIST Bad Passwords list.
It should not include the user name it is associated with.
For more information, see the NIST digital identity guidelines.
Lock, unlock, force password reset#
For ways to directly interact with a user account (e.g. to lock a user account or to force a password reset), see Manage users.