Frequently Asked Question
Niagara Password Security
Last Updated 8 years ago
AX Platform - User Name
In digest authentication, platform user name can be as follows:
If QNX-based host, a maximum of 14 alphanumeric characters (a - z, A - Z, 0 - 9), where the first character must be alphabetic, and following characters either alphanumeric or underscore ( _ ).
If Windows-based host, any number of alphanumeric characters, including hyphens and underscores.
AX Platform - Password
In digest authentication, platform password for both QNX-based and Win32-based hosts can be any combination of alphanumeric characters, including common punctuation (! @ # $ %). This permits a strong password.
A "strong password" is highly recommended. Some basic guidelines on strong passwords:
Station - Password Strength (AX-3.8)
Starting in AX-3.8, the definition of strong passwords for station users is configurable in each station. A new "Password Strength" container slot in the UserService holds configuration properties you can adjust as needed. This slot effectively replaces the former "Require Strong Passwords" slot.
Password strength values shown above reflect the "default" strong password rules, as enforced by the "New Station" wizard in Workbench (from menu bar, Tools->New Station). These defaults are a minimum 10 character password, using at least 1 upper case, 1 lower case, and 1 digit (numeral), but no special characters. This wizard does not complete without a valid password for the "admin" user.
Once the wizard completes, you can adjust the station's password strength properties as needed. If changed in a station, any future password change for any station user (including the "admin" user) requires the minimum values specified in those properties.
Password Strength properties are as follows:
Minimum Length
Minimum "non-alphanumeric" characters in a station password, where 0 (none) is the default. This includes punctuation and symbols (e.g. among others "!", "@", "#", "$", "%", "&", space).
Although "Password Strength" properties allow reducing password strength (e.g. entering 0s in values), it is strongly recommended to retain a level of password strength similar to the "default" level, if not greater. For example, you may wish to require at least one (1) "special" and at least two (2) upper case characters. For related details, see Stronger passwords.
==================================================================================
N4 – Platform/Station Password strength
To protect each certificate’s private key you must supply a private key password. When backing up certificate private keys by exporting certificates, you may use an additional encryption password. (The default encryption password is the same as the private key password.) To prevent unauthorized access, your passwords need to be strong.
A strong platform or station password:
• Has 10 or more characters.
• Includes letters, punctuation, symbols, and numbers.
• Is unique for each set of credentials.
NOTE: You should not reuse passwords.
• Avoids dictionary words in any language, words spelled backwards or words that use common misspellings and abbreviations, sequences or repeated characters, personal information such as your birthday, driver’s license, passport number, etc.
These precautions were adapted from information at microsoft.com, which provides a secure password checker you can use to test the strength of any password.Niagara 4 allows you to control password strength for user authentication. The password strength configuration for user authentication does not apply to certificate passwords.
Password management
Managing passwords involves configuring the strength of the passwords to be used authentication scheme, establishing the period of time after which the password expires, setting the warning period, and setting up the password for each user.
The system supports three password features designed to strengthen access security:
• Password strength that may be configured for each authentication scheme.
• An expiration interval for a password
• Password history
Setting up password strength
Strong passwords are recommended. Along with the other password features, password strength will frustrate any attempt to breach your system.
Prerequisites: Authentication scheme has been added to the AuthenticationService.
Password strength is associated with the selected authentication scheme, for example, Digest or Basic, but not LDAP, for which password strength is managed by the LDAP server. You can create different strengths for different schemes and apply those schemes to different classes of user. For example, an administrator could have stricter password strength requirements.
Once the New Station wizard completes, you can adjust the scheme's password strength properties as needed. If changed for a scheme, any future password change for any station user (including the admin user) requires the minimum values specified in the Password Strength properties.
NOTE: Although you may reduce password strength by entering zeros for its property values, it is strongly recommended that you retain a level of password strength similar to the default level, if not greater. For example, you may wish to require at least one special and at least two upper case characters.
You configure password strength for each authentication scheme.
Step 1 Right-click the AuthenticationService in the Nav tree and click Views→Property Sheet.
The AuthenticationService Property Sheet window appears.
Step 2 Expand the scheme and the Global Password Configuration→Password Strength container for
the scheme.
Step 3 Configure the minimum character requirements, Expiration Interval, Warning Period, and
Password History Length (5 or 10 characters).
Step 4 Do the same for any other scheme you plan to use and click Save.
Setting up password options
In most cases, users create their own passwords. You may create a temporary password for each user in the UserService and require them to change the password at their next login. You may also configure the password expiration date.
Prerequisites: The authentication scheme you need is available in the AuthenticationService.
Step 1 Right-click UserService and click Views→Property Sheet in the Nav tree.
Step 2 Open the user’s Property Sheet.
Step 3 Expand the user whose password you want to set.
Step 4 Scroll down and expand the Authenticator→Password Config container under the user name.
Force Reset At Next Login defaults to true.
Step 5 To allow the user to continue using the same password, set Force Reset At Next Login to
false.
Step 6 Set the password expiration date, scroll down and click OK.
Setting up a user's password
You configure user passwords through the UserService. If you are accessing the UserService from a browser, your connection must be secure (https) or you will be unable to set the password.
Step 1 Double-click UserServices in the Nav tree and double-click the user record.
Step 2 To view the password properties, expand the Authenticator.
Step 3 Enter and confirm the password, then click OK.
In digest authentication, platform user name can be as follows:
If QNX-based host, a maximum of 14 alphanumeric characters (a - z, A - Z, 0 - 9), where the first character must be alphabetic, and following characters either alphanumeric or underscore ( _ ).
If Windows-based host, any number of alphanumeric characters, including hyphens and underscores.
AX Platform - Password
In digest authentication, platform password for both QNX-based and Win32-based hosts can be any combination of alphanumeric characters, including common punctuation (! @ # $ %). This permits a strong password.
A "strong password" is highly recommended. Some basic guidelines on strong passwords:
- Use both upper and lower case.
- Include numeric digits.
- Include special characters.
- Don't use dictionary words.
- Don't use company name.
- Don't make the same as the user name.
- Don't use common numbers like telephone, address, birthday, and so on.
Station - Password Strength (AX-3.8)
Starting in AX-3.8, the definition of strong passwords for station users is configurable in each station. A new "Password Strength" container slot in the UserService holds configuration properties you can adjust as needed. This slot effectively replaces the former "Require Strong Passwords" slot.
Password strength values shown above reflect the "default" strong password rules, as enforced by the "New Station" wizard in Workbench (from menu bar, Tools->New Station). These defaults are a minimum 10 character password, using at least 1 upper case, 1 lower case, and 1 digit (numeral), but no special characters. This wizard does not complete without a valid password for the "admin" user.
Once the wizard completes, you can adjust the station's password strength properties as needed. If changed in a station, any future password change for any station user (including the "admin" user) requires the minimum values specified in those properties.
Password Strength properties are as follows:
Minimum Length
- Minimum total required characters for a station password, where 10 is the default.
- Minimum Lower Case
- Minimum alphabetic lower case characters (a-z) in a station password, where 1 is the default.
- Minimum Upper Case
- Minimum alphabetic upper case characters (A-Z) in a station password, where 1 is the default.
- Minimum Digits
- Minimum numerals (0-9) in a station password, where 1 is the default.
- Minimum Special
Minimum "non-alphanumeric" characters in a station password, where 0 (none) is the default. This includes punctuation and symbols (e.g. among others "!", "@", "#", "$", "%", "&", space).
Although "Password Strength" properties allow reducing password strength (e.g. entering 0s in values), it is strongly recommended to retain a level of password strength similar to the "default" level, if not greater. For example, you may wish to require at least one (1) "special" and at least two (2) upper case characters. For related details, see Stronger passwords.
==================================================================================
N4 – Platform/Station Password strength
To protect each certificate’s private key you must supply a private key password. When backing up certificate private keys by exporting certificates, you may use an additional encryption password. (The default encryption password is the same as the private key password.) To prevent unauthorized access, your passwords need to be strong.
A strong platform or station password:
• Has 10 or more characters.
• Includes letters, punctuation, symbols, and numbers.
• Is unique for each set of credentials.
NOTE: You should not reuse passwords.
• Avoids dictionary words in any language, words spelled backwards or words that use common misspellings and abbreviations, sequences or repeated characters, personal information such as your birthday, driver’s license, passport number, etc.
These precautions were adapted from information at microsoft.com, which provides a secure password checker you can use to test the strength of any password.Niagara 4 allows you to control password strength for user authentication. The password strength configuration for user authentication does not apply to certificate passwords.
Password management
Managing passwords involves configuring the strength of the passwords to be used authentication scheme, establishing the period of time after which the password expires, setting the warning period, and setting up the password for each user.
The system supports three password features designed to strengthen access security:
• Password strength that may be configured for each authentication scheme.
• An expiration interval for a password
• Password history
Setting up password strength
Strong passwords are recommended. Along with the other password features, password strength will frustrate any attempt to breach your system.
Prerequisites: Authentication scheme has been added to the AuthenticationService.
Password strength is associated with the selected authentication scheme, for example, Digest or Basic, but not LDAP, for which password strength is managed by the LDAP server. You can create different strengths for different schemes and apply those schemes to different classes of user. For example, an administrator could have stricter password strength requirements.
Once the New Station wizard completes, you can adjust the scheme's password strength properties as needed. If changed for a scheme, any future password change for any station user (including the admin user) requires the minimum values specified in the Password Strength properties.
NOTE: Although you may reduce password strength by entering zeros for its property values, it is strongly recommended that you retain a level of password strength similar to the default level, if not greater. For example, you may wish to require at least one special and at least two upper case characters.
You configure password strength for each authentication scheme.
Step 1 Right-click the AuthenticationService in the Nav tree and click Views→Property Sheet.
The AuthenticationService Property Sheet window appears.
Step 2 Expand the scheme and the Global Password Configuration→Password Strength container for
the scheme.
Step 3 Configure the minimum character requirements, Expiration Interval, Warning Period, and
Password History Length (5 or 10 characters).
Step 4 Do the same for any other scheme you plan to use and click Save.
Setting up password options
In most cases, users create their own passwords. You may create a temporary password for each user in the UserService and require them to change the password at their next login. You may also configure the password expiration date.
Prerequisites: The authentication scheme you need is available in the AuthenticationService.
Step 1 Right-click UserService and click Views→Property Sheet in the Nav tree.
Step 2 Open the user’s Property Sheet.
Step 3 Expand the user whose password you want to set.
Step 4 Scroll down and expand the Authenticator→Password Config container under the user name.
Force Reset At Next Login defaults to true.
Step 5 To allow the user to continue using the same password, set Force Reset At Next Login to
false.
Step 6 Set the password expiration date, scroll down and click OK.
Setting up a user's password
You configure user passwords through the UserService. If you are accessing the UserService from a browser, your connection must be secure (https) or you will be unable to set the password.
Step 1 Double-click UserServices in the Nav tree and double-click the user record.
Step 2 To view the password properties, expand the Authenticator.
Step 3 Enter and confirm the password, then click OK.