How to manage passwords

This how to will give an overview of how passwords can be created, edited validated and managed in FBO One. It will describe the different sections of FBO One that are related to password management. The following topics will be described here:

Intro on password security in FBO One

Access to FBO One is determined in two ways. The first way is by looking at the IP-address of the computer. If the IP-address is not listed in the IP whitelist, the log in screen is not displayed. Instead an error screen is displayed, with the possibility for device authorization.

If the IP-address is listed in the whitelist, the normal log in screen will be displayed. Here the user can input his or her username and password to gain access to FBO One. The password linked to the username is stored on the secure servers at Amsterdam Software as an unreadable computerized sequence of numbers and letters. FBO One will block a username if there are to many failed log in attempts. After how many failed attempts the user is blocked is configurable in FBO One with the settings 'MaxConsecutiveFailedLoginAttempts' and 'MaxConsecutiveFailedLoginAttemptsTimespanHours' in Administration|Application Settings. The first setting governs how many failed log in attempts can occur before blocking the user. The second setting governs after how long the count of failed log in attempts is set back to zero.

A password can be set to expire after a certain amount of days, forcing the user to choose a new password. This can be set in Administration/Application Settings in the setting 'MaximumPasswordValidityInDays'. The setting 'MinimumPasswordReuseInDays' determines after how many days the same password can be used again.

Password validation expression and log in attempts logging

In Administration|Security|Password Validations can be set what a password should contain to be accepted by FBO One. For example a password should contain a capital letter or a number. These validations are written as a regular expression. In FBO One there are a few validations already preconfigured.

If a validation should apply to the password selection, the box ' Is active' should be checked. Multiple validations can be set to active to implement more restrictions to password selection.

How to unlock a user account that has too many log in attempts

If a user reports that he or she is locked out from FBO One it is important to determine if the user caused the failed log in attempts or an unauthorized attempt to access FBO One was made. To help with this there is a report in FBO One called the 'Security Audit' report. Go to Reports|Security Audit report. Fill in the dates that the log in attempts were made twice, once for the login attempt and once for the sessions.

In the screenshot below the report was requested for login ins and sessions on April 18th 2012.

In the report the columns 'Attempted UserName'  and 'Client IP address' are what is needed to unblock a user. If it is unknown why a user has been blocked, the times of the log in attempts and the IP address of the computer can be found here.

If it is certain that the blocking happened by mistake the username and IP address need to be noted down to unlock the user. Go to Administration|Security|Unlock User. Select the username and fill in the IP address. Finally click 'Unlock' to unlock the user.

How to reset a password

If a user has forgotten their password, a new password can be assigned. Go to Administration|Security|Users. Find the applicable user and click 'Edit'. In the 'Password' field a new password can be typed. Click 'Save' to assign the new password to the user.

Security audit report

Briefly mentioned before, the 'Security Audit' report can be used to monitor log in attempts. The LoginAttempts tab can be used to check which users tried to log in, at what time, with what IP address and if they were successful. The Sessions tab will give information about the start time of a session in FBO One, coupled with user name, IP-address and method of authentication. The users tab will give information about users in the system, including the time of the last log-in and if the user is active. With this information in can be checked, for example on a monthly basis, if user accounts should be disabled (if for example an employee left the company).

See also

Password validations

How to Update a Password