Password and Login Security

NetX takes security very seriously. To this end, we provide a number of security layers, as well as a variety of configuration options to meet your specific security requirements.

Session key configuration

When users successfully log in to NetX, they are provided with a session key for access to data within the application. By default, user session keys are valid for 30 minutes; that duration is extended as long as the session key is being used to make calls back to the server. Administrators can modify this behavior to meet security requirements with the following properties:

Property Description
user.sessionDuration

This property controls the length of time in minutes that the internal session keys remain valid. Please only change this value if you know what you are doing as it can affect the security of your installation. The default timeout is 30 minutes. 

Value options: number

Requires restart? Yes

 

Login attempt restrictions

The first line of defense is blocking repeated login attempts. By default, accounts are locked after 10 failed login attempts; and locked accounts remain locked for 30 minutes. Both these can be adjusted as you see fit, with the following properties:

Property Description
user.failedLoginAttemptThreshold

Any integer value is valid; setting this to zero will disable any login failure attempt blocking.

Value options: number

Requires restart? Yes

user.failedLoginAttemptTimeout

Any positive, non-zero integer value is valid; measured in minutes.

Value options: number

Requires restart? Yes

Additionally, any login attempt to a non-existent account is automatically locked in order to thwart any brute force attacks; in this way, the system can stop making database calls for these non-existent accounts.

Strict passwords

Augmented user control — including control over passwords — is easily gained by integrating authentication with either an external LDAP Directory Server, or an SSO system. But in lieu of those options, NetX has a number of password complexity options. By default, passwords must be at least 8 characters in length. Here are further password configurations that can tighten security:

Changing password restriction settings will not affect existing users until they (or an administrator) attempt the next password change on the account.

Property Description
sys.minimumPasswordLength

This property checks the minimum length required for passwords; the default value is 8 (characters). Does not require a restart.

Value options: number

Requires restart? No

sys.passwordPattern

This property value can be specified by providing a number and a letter, separated by commas. The number designates the number of instances of that character required; and the letter designates the type of character required.

As an example, a valid value is: "2N,3U,2L"; this would require two numbers, three upper case, and two lower case characters in every password. Requires a restart to take effect.

The following are considered "special characters":

! @ # $ % ^ & * ( ) + = _ - { } ? : ; < > . | [

This property requires a restart before it will take effect.

Value options:

  • N: number (0 - 9)
  • L: lower case ASCII character (a-z)
  • U: upper case ASCII character (A-Z)
  • S: special characters

Requires restart? Yes

 

Password protection and encryption

Passwords are encrypted "over the wire" — between the client and the server — via SSL. Passwords are cleansed from any logging facilities on the backend and only stored as hashes in the NetX database. While many applications use SHA-256, NetX goes a large step further; we have recently switched our encryption hashing to use PKCS5 v2.0.

Common security checklist

  • Password length, a minimum of 8 characters.
  • Password complexity, includes the use of alpha, numeric and special characters.
  • Maximum invalid account login attempts: just one.
  • Account lockout thresholds: 10.
  • Inactive session timeout: 30 minutes
  • Passwords are encrypted while in transit using standard cryptographic methods: SSL.
  • Passwords are encrypted or hashed in storage using standard cryptographic methods: PBKDF2.

 

Was this article helpful?
0 out of 1 found this helpful