Starting with ILLiad 9.0, sites can set password requirements for staff using the StaffPasswordComplexity key. Existing sites will have this key set to .* to preserve existing functionality, but new installations will have the complex password requiring at least 8 characters, including an upper and lower case letter and a number. The Staff Manager does have an override ability that will prompt 'Password does not meet requirements. Would you still like to set the password?' when a password does not meet the specified requirements.
Default Password Requirement
In order to require at least eight characters with at least one lowercase letter, one uppercase letter, and one number, the following regular expression should be entered as the value for the StaffPasswordComplexity key:
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$
With the ILLiad default password requirement, passwords must contain:
- At least 8 characters
- At least 1 lowercase letter
- At least 1 uppercase letter
- At least 1 number
Setting the Password Requirement
To set the default validation rule for Staff passwords:
- Open the ILLiad Customization Manager.
- Navigate to System | General.
- Locate the StaffPasswordComplexity key.
- Change the value to ^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$
- Click Save.
Editing the Password Requirement
The default Staff password requirement can be edited to fit specific institution needs. This is done by simply editing the regular expression that sets the password requirement.
See Testing Regular Expressions for more information about regular expressions.
- Navigate to System | General in the ILLiad Customization Manager.
- Locate the StaffPasswordComplexity key.
- Change the value to the regular expression you want to use.
- Click Save.
Password Examples
The default requirement above (^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$) breaks down roughly as:
- A ^ and $ character to indicate the beginning and end of the text.
- A series of (?=.*#character class#) elements, which look ahead to make sure at least some part of the text matches the given #character class#, which includes
- \d - any number
- [a-z]any lowercase number
- [A-Z]any uppercase number
- .{8,} to ensure the text is at least eight characters.
Here are some examples of some common complexity requirements expressed as regular expressions. Remember that the web validation fields cannot exceed 255 characters when designing your regular expressions, and to change the rule for both the registration and the change password forms.
Require at least eight characters with at least one letter, one number, and one symbol |
|
Require between 8 and 20 characters with at least one letter and one number |
|
Require at least 10 characters |
|
Requires a password of at least eight characters with characters coming from at least two of the following three groups: letters, numbers, and symbols. |
|
Password Expiration
The StaffPasswordExpirationEnabled customization key located under System | Password Expiration in the ILLiad Customization Manager specifies whether staff passwords should have an expiration date. This key defaults to a value of "Yes."
The StaffPasswordExpirationDays customization key located under System | Password Expiration in the ILLiad Customization Manager sets the number of days before a password expires for a staff member. If the staff user's last password change exceeds the StaffPasswordExpirationDays, the user will be redirected to the change password form upon login to the ILLiad Client. The default value for this key is 180 days.
Encryption for Stored Passwords
Staff passwords are stored with enhanced encryption methods using the Password-Based Key Derivation Function 2 (PBKDF2) hashing strategies. The iterations (default value: 156,000) store the hashed passwords as an algorithm. When a user logs in with a password, it will be compared with the hash algorithm to verify the password is correct before permitting clearance into ILLiad.
The default value can be changed in the Customization Manager by changing the value of the StaffPasswordHashingIterations key. If you wish to change the default iterations, it's highly recommended to contact support for the number of iterations that work best for the speed of your computer and the hash algorithm. Generally, hash iterations should not be set to less than 100,000.
FIPS Compliance
As of v9.0, FIPS (Federal Information Processing Standards) can be enabled for ILLiad. This standard:
- Utilizes 140-2 compliant encryption algorithms
- Is activated via the Windows group policy
FIPS compliance will be supported with ILLiad after the hashing customization keys (StaffPasswordHashingIterations and WebPasswordHashingIterations) are set in the Customization Manager with a numerical value.
If you need to utilize FIPS on your system, you must update ALL passwords for staff members prior to activating it, or FIPS checking will prevent the system from running for the respective Staff user.