User Password & Security Modifications

Posted on by
After reviewing the ACR system’s password policy, modifications have been made to encourage the use of stronger passwords by users and administrators of the ACR system. These modifications will come into place when you receive your next updates this weekend. Detail of changes are listed below, and we encourage you to be abreast of these before you receive the update:
  • The maximum password length has been increased to 50 characters, allowing the creation of very strong passwords or passphrases.
  • A new site wide configuration (ACR Only) has been created to set the minimum password length. The default for this is 5, if you would like this increased please contact the ACR support team.
    • N.b. Changing this configuration does not affect any existing passwords and will only affect passwords that are created after the configuration is modified. For example if a user had a password, h7q91, with a total length of 5, and the configuration was changed from 5 to 8, they will be able to continue using that password, h7q91. When they next attempt to set a new password they will then require a password that is of length 8.
  • Passwords are now case sensitive after the removal of restrictions that had carried over from legacy architecture. Previously, the system would interpret the passwords h7q91, H7q91, H7Q91, h7Q91 all as h7q91.
    • N.b. If prior to the update a users’ password contained a mixture of cases, and they experience difficulty logging in after the update, they should attempt to login using the same password but using only lowercase. After successful logon they can then change their password, if they wish.
  • When setting a new password, the system will now reject known insecure passwords. E.g. password, 123456.
  • A temporary lockout policy of user accounts has now been setup. If a user enters an incorrect password 10 or more times within 3 minutes, their account will be locked out for 5 minutes. After that time they can again attempt to login. This type of lock is known as a soft-lock.
    • N.b. If the user’s password is changed in User Maintenance within the 5 minute soft-lock period, the soft-lock will be removed.
    • Additionally, please note this soft-lock has no effect on or with the existing ‘User Locked’ tick box in User Maintenance.

If you have any questions, please contact the ACR training team for further assistance.