Passwords

2020-07-05

This topic covers options available for configuration of password authentication in the database:

Password Strength

User passwords can be set to either "weak" or "strong" rules.

Weak rules require only that the password:

  • Must be at least 6 non-whitespace characters long
  • Must not match the user's email address
Strong rules require that passwords meet the following criteria:
  • Must be eight or more characters long
  • Must contain characters from at least three of the following character types:
    • lowercase letters (a-z)
    • uppercase letters (A-Z)
    • digits (0-9)
    • symbols (! @ # $ % & / < > = ?)
  • Must not contain a sequence of three or more characters from the user's email address, display name, first name, or last name
  • Must not match any of the user's 10 previously used passwords

Password Expiration

Administrators can also set the password expiration interval. Available expiration intervals are:

  • Never
  • Twelve months
  • Six months
  • Three months
  • Every five seconds - for testing purposes

Password Best Practices for LDAP and SSO Users

For installations that run on LDAP or SSO authentication servers, it is recommended that at least one Site Administrator account be associated with LabKey's internal database authenticator as a failsafe. This will help prevent a situation where all users and administrators become locked out of the server should the external LDAP or SSO system fail or change unexpectedly. If there is a failure of the external authentication system, a Site Administrator can sign in using the failsafe database account and create new database authenticated passwords for the remaining administrators and users, until the external authentication system is restored.

To create a failsafe database-stored password:

  • Select (User) > My Account.
  • Choose Create Password. (This will create a failsafe password in the database.)
  • Enter your password and click Set Password.

After setting up a failsafe password in the database, LabKey Server will continue to authenticate against the external LDAP or SSO system, but it will attempt to authenticate using database authentication if authentication using the external system fails.

Related Topics