Staff Password Requirements

Print Friendly and PDF Follow

After performing the March 2022 Aeon Server update for Aeon 5.0 or Aeon 5.1, sites can set password requirements for staff using the StaffPasswordComplexity key in the Customization Manager. The default setting for the key will enforce a complex password requiring at least 8 characters, including an upper and lower case letter and a number. The key can be set to .* to remove the requirement, however, the Staff Manager will also have an override ability that will prompt 'Password does not meet requirements. Would you still like to set the password?' when a password does not meet the specified requirements in the key.

Default Password Requirement

The default validation rule for passwords now requires at least eight characters with at least one lowercase letter, one uppercase letter, and one number, and is expressed by this regular expression:

^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$

With the Aeon default password requirement, passwords must contain:

  • At least 8 characters
  • At least 1 lowercase letter
  • At least 1 uppercase letter
  • At least 1 number

Editing the Password Requirement

The default Staff password requirement can be edited to fit specific institution needs. This is done by simply editing the regular expression that sets the password requirement.

See Testing Regular Expressions for more information about regular expressions.

  1. Navigate to System | Password Expiration in the Aeon Customization Manager.
  2. Locate the StaffPasswordComplexity key.
  3. Change the value to the regular expression you want to use.
  4. Click Save.

Password Examples

The default requirement above (^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}$) breaks down roughly as:

  • A ^ and $ character to indicate the beginning and end of the text.
  • A series of (?=.*#character class#) elements, which look ahead to make sure at least some part of the text matches the given #character class#, which includes
    • \d - any number
    • [a-z]any lowercase number
    • [A-Z]any uppercase number
  • .{8,} to ensure the text is at least eight characters.

Here are some examples of some common complexity requirements expressed as regular expressions. Remember that the web validation fields cannot exceed 255 characters when designing your regular expressions, and to change the rule for both the registration and the change password forms.

Require at least eight characters with at least one letter, one number, and one symbol
^(?=.*\d)(?=.*[a-zA-Z])(?=.*\W).{8,}$
Require between 8 and 20 characters with at least one letter and one number
^(?=.*\d)(?=.*[a-zA-Z]).{8,20}$
Require at least 10 characters
^.{10,}$
Requires a password of at least eight characters with characters coming from at least two of the following three groups: letters, numbers, and symbols.
^((?=.*\d)(?=.*[a-zA-Z])|(?=.*\d)(?=.*\W)|
(?=.*[a-zA-Z])(?=.*\W)).{8,}$
 

Unique Password Requirements

As of Aeon 4.2, Staff passwords will check the new password using a configurable number (default value: 4) of previous passwords for uniqueness when a staff user is changing his/her password. This will prevent staff users from reusing a previous password or rotating through similar passwords. 

The default can be changed in the Customization Manager by changing the default value of the StaffPreviousPasswordCount key.

  • If the value is set to 4, then the user must have 4 unique passwords before an old password can be reused.
  • If the value is set to 0, the password will not be checked against the user's password history when updating the password.

Encryption for Stored Passwords 

As of Aeon 4.2, staff password as stored with enhanced encryption methods using the Password-Based Key Derivation Function 2 (PBKDF2) hashing strategies. The iterations (default value: 156,000) store the hashed passwords as an algorithm. When a user logs in with a password, it will be compared with the hash algorithm to verify the password is correct before permitting clearance into Aeon.

The default value can be changed in the Customization Manager by change the value of the StaffPasswordHashingIterations key. If you wish to change the default iterations, it's highly recommended to contact support for the number of iterations that work best for the speed of your computer and the hash algorithm. Generally, hash iterations should not be set to less than 100,000. 

Questions?

If this article didn’t resolve your issue, please contact Atlas Support for assistance:

Contact Support