Configure PoolParty to Use Stronger Passwords

In this section you find details on how to make PoolParty's passwords more secure.

Default Settings

The default password security in PoolParty requires passwords to match the following criteria:

  • Passwords may contain letters and numbers as well as special characters.
  • Passwords length has to be at least 8 characters.

Password Change Policy

The following key determines, if users on logging in to PoolParty for the first time have to change their password or not:

  • security.password.changeDefault.enabled=  (Boolean, possible values: true or false, default: true)

Default behaviour: new users and legacy users will have to change passwords on their first login. At that point a user after logging in cannot execute any functions, until he or she has changed their password. That way a password is less apt to be abused.

Stronger Password Requirements Configuration

To configure PoolParty to require stronger password security add the following setting to the poolparty.properties file:

  • pwd.mode.secure = true
  • pwd.min.length = 8 (default value, optional)

Requirements for Stronger Password Security

If stronger password security is set, passwords have to match the following criteria:

  • Password must use upper and lower case characters.
  • Passwords have to use letters as well as digits and punctuation characters, for example: 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)

Enforce Password Change Periodically (optional)

The periodical password change policy is meant to prevent an attacker to guess or otherwise find out a password. The change can be set to a value of your choice in days, default is 90 for as many days.

This does not work in combination with SAML or LDAP and should not be used with one of the two.

Set the following value in the poolparty.properties file:

  • security.password.expiration=90 (default = 0)

This setting enforces a password change for users after 90 days, periodically. At that point a user after logging in cannot execute any functions, until he or she has changed their password.

Password History Enforcement (optional)

This makes sure that users cannot reuse their passwords. Changing this value in the poolparty.properties file sets the number of passwords for a user saved in a history. In this example, the user cannot use the last 10 passwords:

  • security.password.log=10 (default = 0)

User Account Locking (optional)

Number of allowed login attempts before lock-out.

To enable user account locking, the following settings can be used in the poolparty.properties file:

  • security.account.failed.attempts (default = 1)
    is the maximum number of stored failed login attempts.

  • security.account.lock (default = 0)
    means that after the specified number of failed login attempts, the account is locked and cannot be accessed even if the correct password is entered.

  • security.account.failed.attempts must be greater than security.account.lock
  • API login attempts are also counted

The user management allows to unlock an account. It's also possible to use ReCaptcha. In the unusual event that all accounts are locked, security.account.lock should be removed from the property file and PoolParty restarted. After that the lock is no longer active.