Sec/User Mgmt: Step 1: Configure Password Complexity

Document created by RSA Information Design and Development on Jul 28, 2016
Version 1Show Document
  • View in full screen mode

Passwords are an important part of your network security strategy. They provide critical front-line protection for your computer systems and help prevent attacks and unauthorized access to private information. 

Password policies, designed to enhance the security of corporate networks, vary depending on the industry, corporate requirements, and regulations. Because of these password policy variations, Security Analytics software allows you to configure the password complexity requirements for internal Security Analytics users to conform to your corporate password policy guidelines.

Password complexity requirements apply only to internal users and are not enforced for external users. External users rely on their own methods and systems to enforce password complexity.  

Password Strength

Strong passwords make it more difficult for attackers to guess user passwords and help prevent unauthorized access to your organization's network. You can define the appropriate level of password strength for your Security Analytics users. When you configure the password strength settings, they apply to internal Security Analytics users, including the admin user.

You can choose to enforce any combination of the following password strength requirements when a Security Analytics user creates or changes their password:

  • Minimum password length
  • Minimum number of uppercase characters
  • Minimum number of lowercase characters
  • Minimum number of decimals (0 through 9)
  • Minimum number of special characters
  • Minimum number of non-Latin alphabetic characters (includes Unicode characters from Asian languages)
  • Whether or not the password can contain the username

For example, you can create a strong password requirement that has a minimum of 8 characters, cannot contain the username of the user, and contains a mix of uppercase and lowercase letters, numbers, and special characters.

If you choose to enforce a minimum number of non-Latin alphabetic characters, ensure that your users have these characters available to them when setting their passwords.

STIG Compliant Passwords in the System Maintenance Guide provides an example of a strong password policy. 

Configure Password Strength

  1. In the Security Analytics menu, select Administration > Security.
    The  Security view is displayed with the Users tab open.
  2. Click the Settings tab.
  3. In the Password Strength section, select the password complexity requirements to enforce when Security Analytics users set their passwords and specify the minimum characters required, if applicable. Clear the checkbox for the requirements that you do not want to enforce.                         
    Minimum Password LengthSpecifies a minimum password length. A minimum password length prevents users from using short passwords that are easy to guess.
    Uppercase CharactersSpecifies a minimum number of uppercase characters for the password. This includes European language characters A through Z, with diacritic marks, Greek characters, and Cyrillic characters. For example:
    • Cyrillic uppercase: Д Ц
    • Greek uppercase: Π Λ
    Lowercase CharactersSpecifies a minimum number of lowercase characters for the password. This includes European language characters a through z, sharp-s, with diacritic marks, Greek characters, and Cyrillic characters. For example:
    • Cyrillic lowercase: д ц
    • Greek lowercase: π λ
    Base 10 DigitsSpecifies a minimum number of decimal characters (0 through 9) for the password.
    Special Characters (~!@#$%^&*_-+=`|(){}[]:;"'<>,.?/)Specifies a minimum number of special characters for the password:
    Non-Latin Alphabetic CharactersSpecifies a minimum number of Unicode alphabetic characters that are not uppercase or lowercase. This includes Unicode characters from Asian languages. For example:
    • Kanji (Japanese): 頁 (leaf) 枒 (tree) 
    Password May Not Contain UsernameSpecifies that a password cannot contain the case-insensitive username of the user.
  1. Click Apply.
  2. In the confirmation dialog, select an answer to the following question: Do you want to force all internal users to change their passwords on the next login?
    • Yes: Forces all internal users to change their passwords the next time they log on to Security Analytics. This overrides any individual user account settings.
    • No: Forces only those internal users with the Force password change at next login option enabled in their individual user account settings to change their password the next time they log on to Security Analytics.

The password strength settings take effect when Security Analytics users create or change their passwords. 

You are here: Set Up System Security > Step 1. Configure Password Complexity