Password policies

Arena supports creating password policies to ensure that information is kept secure. A user can only be included in one password policy.

Arena Password Policy

There is one password policy included in the installation - Arena Password Policy. This policy comes pre-configured with settings that enforces a quite strong password. To find out the exact settings for this policy, select Users and then Password Policies. Click the context menu for the policy and select Edit.

You can create new passwords policies if you want to, or adapt the Arena Password Policy.

Recommendations

Make sure that administrators and users have personal user names and passwords and that security measures are met, for example:

  • Requiring that the user changes password upon initial sign-in
  • Using complex passwords
  • Password expiration
  • Control of maximum number of unsuccessful sign-in attempts
  • Making sure that passwords are not shared, written down or sent by email
  • Signing out of Arena rather than letting the time-out take place

Creating password policies

  1. Sign in to Liferay.
  2. In the menu to the left, click Control Panel.
  3. Select Users and then Password Policies. You can either update the default password policy, by clicking its context menu and selecting Edit, or create a new password policy by clicking + at the lower right of the screen.
  4. Enter a name for the policy, and, if you want, a description.
  5. Make the settings for the following areas

Password Changes

Changeable: Makes the password changeable and enables making additional settings.

Change Required: Requires that the user must change password after the initial sign-in.

Minimum Age: How long time the user must wait to change the password again.

Reset Ticket Max Age: How long a password reset link is valid.

Password Syntax Checking

Enable Syntax Checking: Checks the content and/or length of passwords and enables making additional settings.

Allow Dictionary Words: Keeping this option deselected prevents the user from using common words for their password.

Use the rest of the options to set the required complexity of passwords.

Password History

Enable History: Keeps track of previous passwords and prevents the user from reusing passwords.

History Count: The number of previous passwords to keep in the history.

Password Expiration

Enable Expiration: Forces the user to change the password on a certain interval.

Maximum Age: How often the password must be changed.

Warning Time: Determines how long before a password expires that the user gets notified.

Grace Limit: How many times the user may sign in after their passwords has expired.

Lockout

Enable Lockout: Prevents the user to sign in after a defined number of unsuccessful attempts.

Maximum Failure: Maximum number of attempts the user is allowed to make with the wrong password.

Reset Failure Count: How long time the unsuccessful attempts to sign in is kept.

Lockout Duration: How long time a locked account stays locked.

Assigning a password policy to users

It is recommended to assign the same password policy to all users in the organisation. Make sure that existing passwords conform with the settings in the password policy before you assign it to the organisation.

  1. Open the context menu for the new policy and select Assign members.

  2. Select the Organizations tab.

    Check the name of your organisation.

  3. Click Add.