Password Security

To guarantee greater security, Aurea CRM allows you to specify that passwords must be changed at regular intervals and must meet certain criteria. In addition, you can enable the blocking mechanism, which prevents a user from attempting to log in after a specified number of failed attempts, see System Blocking.

You can configure the following settings on the Password tab in the Station Configuration info area:

  • Frq. PW Update in days: Number of days after which users must change their passwords.
  • Minimum PW Length: The minimum password length. The maximum length is 128 characters, which is sufficient to prevent against brute force attacks.
  • Passwords in History: The number of passwords stored in the history that may not be used again (maximum: 10).
  • Password History: The number of characters in the next password that may not be repeated in the same order (possible values: 0 = no limit; 3, 4, ...)
  • PW must contain digits: If enabled, the password must contain at least one digit.
  • PW must contain letters: The password must contain at least one letter.
  • PW must not contain user name: The password must not contain the user name.
  • PW must contain upper and lower case: New passwords must contain both upper and lower case.
    Note: If you enable this option and export or import users in the Export/Import modules (Login/US info area), you need to include the Password and Encrypted Password fields in the export/import format.
  • PW may not be in blacklist: Words entered in the blacklist may not be used as passwords. The blacklist is defined in the Configuration info area, see Security.
    Note: You can configure certain password settings for individual users, see Password Settings. User-specific settings take precedence over station-specific settings.

    You can exclude certain users from the password settings (e.g. the communication user) by enabling the Deactivate Password or Ignore PW Settings option in the Configure Login window.

When Aurea CRM is started, the system checks whether the user's password must be changed and whether it meets the defined security criteria. If one of these criteria is not met, the user is prompted to change their password. The systems also checks whether the new password meets the security criteria.