Configuring Password Security Requirements

Civic Platform provides agencies with the ability to define password requirements for users. By default, Civic Platform requires that passwords be at least 6 characters long. Agencies can use the Password Settings page to set user password requirements to meet the agency’s needs.

To set user password requirements

  1. Navigate to Civic Platform and click the Admin Tools tab.

  2. Select Admin Tools > Agency Profile > Agency.

  3. Enter your agency code, or other agency search criteria, and then click Submit.

    Civic Platform displays a list of agencies that match your search criteria.

  4. Click the Password Security link for your agency. The link displays to the right of the address/city/state/zip columns.

    Civic Platform displays the Password Settings page.



  5. To define the minimum number of characters needed for a password

    • Select a value from the Minimum number of characters drop-down list.

  6. To define password character requirements

    • Select and define one or more options in the Character Requirements section. See Table 1 for detailed information.

  7. To define password restriction requirements

    • Select and define one or more options in the Restrictions section. See Table 2 for detailed information.

  8. If your agency uses Citizen Access, and you want to use the same password rules for public users, select Apply the same requirements for passwords to public users in Citizen Access.

  9. To restrict the number of failed login attempts by a user before Civic Platform locks the user’s account

    • Select Lock account after X failed login attempts in Y hours.

    • Specify how many failed login attempts (X) a user can have, then specify the timeframe within which those login attempts may occur in hours (Y).

      For example, to allow a user three attempts to log in within a one hour timeframe, enter 3 for the number of failed login attempts, and 1 for the number of hours.

  10. Click Submit.

    Civic Platform activates the security policy for your agency.

    Table 1. Password Character Requirement Details
    At least [ # ] upper-case letters (A,B,C,...) Select to define a minimum number of upper-case alphabetical characters required when a user creates a password.
    At least [ # ] numbers (0,1,2,...) Select to define a minimum number of numerical characters required when a user creates a password.
    At least [ # ] special characters (!,$,%,...) Select to define a minimum number of special characters required when a user creates a password.
    Table 2. Password Restriction Details
    Do not allow the user ID to be part of the password Disallows the user ID for use in a password.
    Do not allow the following special characters Disallows the special characters you specify for use in a password. Separate multiple special characters with commas.
    Do not allow passwords that start with numbers or special characters Disallows use of numerical or special characters at the beginning of a password.
    Do not allow reuse of passwords that meet the following conditions Restricts the re-use of passwords. Select, then define one or both of the following.Used in the previous [ # ] passwords - Select and define to disallow re-use of a password for a rule-defined number (1-15) of iterations.Used in the previous [ # ] hours: Select and define to disallow re-use of a password for a rule-defined period of time.

Standard Choice Configuration for Password Rules

There are two Standard Choices for password rules: PASSWORD_ POLICY _SETTINGS and PASSWORD_CALCULATION _SCORE.

If you want to add a new policy, or modify an existing policy, configure the Standard Choice PASSWORD_ POLICY _SETTINGS with appropriate values according to the Standard Choice values as described in Table 3. Separate standard value descriptions with pipe characters || and separate elements with a colon :

Table 3. Standard Choices PASSWORD_POLICY_SETTINGS Configuration
Standard Choice Value Value Description Active
Example_JavaBean1 JAVABEAN: com.accela.security.password.LengthValidator || length:8 || errorMessage: Password is too short. Y
Example_JavaBean2 JAVABEAN:com.accela.security.password.UpperCharValidator || number:2 || errorMessage: Password must contain uppercase. Y
Example_JavaBean3 JAVABEAN:com.accela.security.password.ExcludeUserIDValidator || errorMessage:Do not allow user id Y
Example_JavaBean4 JAVABEAN:com.accela.security.password.ExcludeUserIDValidator || number:5 || errorMessage:Do not allow previous password. Y
Example_WS WS: https://accela.com:3080/CheckACAPolicy?wsdl || errorMessage: check policy failed. Y

To modify the password calculation score rules, configure the Standard Choice PASSWORD_POLICY_SETTINGS as described in Table 4.

Table 4. Standard Choice PASSWORD_CALCULATION_SCORE Configuration
Standard Choice Value Value Description Active
Number of Characters +(n*4) Y
Repeated Characters -(n*4) Y
Has 3 Number +5 Y
Has 2 Special Characters +5 Y
Has Upper and Lower Character +10 Y
Has Numbers and Characters +15 Y
Only Characters -10 Y
Only Numbers -10 Y
Weak Password score<=34 Y
Medium Password 34 < score <=34 Y
Strong Password 68 < score Y