Configuring Password Policy

FastClose can be configured to enforce password complexity, expiry and re-use requirements, when using FastClose authentication. None of the configuration settings below apply when Windows Authentication is in use.

From FastClose 3.0 onwards, the settings are in the accountsecuritypolicysettings.json file in the server installation folder.

In FastClose 2.5, the settings for this policy are in the appsettings.customer.json file in the server installation folder. If that file does not exist then create it by copying and renaming appsettings.customersettings.json. If the file does exist but does not contain these settings because it was created for an earlier version of FastClose, then you can insert the new settings yourself within the appropriate section. You can copy them out of the default file appsettings.json.

Remember that you usually need to run Notepad as administrator in order to edit a file within the Program Files folder.

Within the AccountSecurityPolicySettings section in 3.0, or AuthenticationOptions section in 2.5, edit the following settings and restart the server:

    /* Minimum length required for a password (minimum 1, but 10 or more recommended) */
    "MinimumPasswordLength": 1,

    /* Minimum number of different characters required in a password (minimum 1, but 5 or more recommended) */
    "MinimumPasswordUniqueCharacters": 1,

    /* Require passwords to contain uppercase characters (recommended) */
    "PasswordsRequireUppercaseCharacters": false,

    /* Require passwords to contain lowercase characters (recommended) */
    "PasswordsRequireLowercaseCharacters": false,

    /* Require passwords to contain at least one digit (recommended) */
    "PasswordsRequireDigits": false,

    /* Require passwords to contain at least one symbol or punctuation character (recommended) */
    "PasswordsRequireSymbols": false,

    /* Disallow the 'N' most commonly used passwords where N is up to 100,000 (1000 recommended), default 0 means no checking */
    "CommonPasswordsExclusionCount": 0,
    
    /* Disallow re-use of the previous 'N' passwords, default 0 means no re-use checking */
    "NumberOfPreviousPasswordsToExclude": 0,

    /* Once changed, password cannot be changed again for 'N' days, to prevent circumvention of re-use policy; default of 0 means no limit to password changing */
    "MinimumPasswordAgeInDays": 0,
    
    /* How many days before a password must be changed; default of 0 means no password expiry */
	"MaximumPasswordAgeInDays": 0,
    
    /* Whether the password must not match the user's username, first name, last name or email address (recommended) */
    "MustNotMatchUser" :  false

Note: the MustNotMatchUser setting was added in 3.1.

The policy is enforced whenever a new user is created or an existing user edited via the administration web pages, and whenever an existing user uses the Change Password feature within any of the client apps. It is also enforced when a user is made to change their password on login due to expiry.

FastClose does not store user passwords, only cryptographic hashes generated from their passwords, so it cannot apply changes to policy retrospectively.

When editing a user in the administration web pages, the current policy settings can be viewed by pointing at the 'info' icon near to the password box:

Similarly, when changing your password in one of the desktop apps:

Good advice online (xkcd, NIST) is that password length is more important than complexity, and so is screening against lists of common/compromised passwords. Forced password expiry can result in lower security, not higher.

Notes about specific settings:

• The NumberOfPreviousPasswordsToExclude and MinimumPasswordAgeInDays options do not apply when an administrator edits a user via the FastClose server web pages.

• Increasing the NumberOfPreviousPasswordsToExclude value does not act retrospectively: FastClose adds password hashes to the historic list when a user changes their password, and respects the value of this setting at that point in time only.

• The tests for uppercase letters, lowercase letters, digits, symbols and punctuation use the corresponding Unicode category definitions, so are not restricted to US/UK English definitions.

• The Edit User page in the administration web app shows the age of user passwords in days. For users created prior to the password expiry feature being added, the age will be reported as 'Unknown'. The maximum password age policy setting only applies to passwords which have been set or changed after the feature was added.

An administrator can mark a password as expired immediately, by ticking the box 'User must change password on next login' and clicking Save, when editing or creating a user. This can be quite helpful when setting up a new user, as the administrator can set an initial password, share that with the new user, and then the new user will immediately change it on first login to one only they know.