API: Auth

Filename:
authPswd_{userType}.cnfg

Released With:
5.0.0

Current Version:
3.0.0

Status: Active

Min Lasso Tested: 8.1.0

Max Lasso Tested: 8.5.3

Related:

fwp_user

API Reference

authPswd_{userType} (Config)

Description

The login system of the fwp_user custom type includes several options for flexible password management for a variety of security needs.

Password requirements for length and required character sets enable a range of allowed passwords from emphasizing user friendliness to brute force attack resistance.

Passwords can be set to require rotation so the user must alter the password every N days. In conjunction with this, the past N number of passwords are stored and new passwords cannot be equal to past passwords. Prior to the expiration of the user's password, a password update reminder can be flagged to appear within N days of the expiration date.

Login can be restricted not only to account name and password, but also can be limited to a specific client_IP address.

Passwords created by administrators when creating or resetting user accounts can be flagged for one time use to require the user to create his own password, thereby keeping administrators from logging in as other users.

Accounts can be locked after N sequential failed access attempts. The lockout can require administrator override or a simple delay period before the user may try again (the latter is preferred to keep an attacker from creating an denial of service attack by causing multiple users to be locked out).

This file is loaded by the fwp_user type during the creation of a user object.

Parameters & Member Tags

See the descriptions in the sample file below.

Examples

Below is a typical configuration file example. If multiple user definitions are not needed, then this file is typically called authPass_default.cnfg and would typically be in the /site/configs/ folder. The file extension must match the one set in $fw_kCnfgExt.

[output_none]
# authPass_(name).cnfg

# minimum password string length (integer)
# 6 is ok, 8 is most secure

fw_kUsrPswdMinLen=6

# password must include charset (0|1)
# most secure is one of each
# recommended to at least require upper, lower, number

fw_kUsrPswdUpper=0
fw_kUsrPswdLower=0
fw_kUsrPswdDigit=1
fw_kUsrPswdSymbol=0

# client_ip must match field usersHosts (0|1)
# suitable only for users with fixed IP addresses

fw_kUsrHostMatch=0

# number of passwords to keep in history
# new passwords cannot equal any in history
# 0 means unused option

fw_kUsrPswdHistory=0

# frequency password must be changed (integer days)
# 0 means unused option
# most secure is 90 days or less

fw_kUsrPswdDays=0

# number of days before expiration 
# to prompt user for new password

fw_kUsrPswdPromptDays=14

# admin supplied password must be changed on first use (0|1)

fw_kUsrPswdOnce=0

# max failed attempts before lockout (1-9)
# 3 to 5 recommended
# 0 means unused option

fw_kUsrAttemptsMax=3

# minutes to pass before lockout expires
# (integer minutes) or -1 to require admin reset
# 5 to 15 recommended
# -1 requires admin reset but is not recommended
# for most apps as it can lead to DOS attacks
# 0 means unused option

fw_kUsrLockMinTime=5

[/output_none]