You can efficiently manage the password policy settings such as password expiry, password length, password for users using the local authentication provider.
To set or modify password policies for local authentication provider (that is VMware Lab Platform authentication provider):
Prerequisites
Administrator user role access and privileges.
Procedure
From the navigation panel, click Users & Groups > Authentication Providers.
Click the three ellipses icon next to the Local authentication provider, and click Update.
You can set or modify the following password policy information:
Option
Description
Strong Passwords
If you select the option, users need to set a password that must have at least one uppercase character, one digit, and one symbol character in the password. By default, the Strong Passwords option is deselected.
Password Length
Set the length for password. The default value is 8 characters.
Previous Passwords
The number of times that a user cannot use a previous password as a new password. The default value is set as 0.
Password Expiration
Number of days before a password expires and a password change is required.
Caution:
Setting the value to 0 disables the password expiration check and allows users with expired passwords to login.
Automatic Account Lockout Failure Count
The number of failed authentication that is allowed before the account is locked. By default this feature is deactivated. Set a value more than 0 to activate the feature. As a best practice, we recommend setting the value to 5.
Setting a value for Automatic Account Lockout Failure Count prevents a malicious user from trying many different passwords to login to an account. It locks an account if too many failed login attempts occur. The lockout can be temporary or permanent.
When activated, the following options are displayed:
Automatic Lockout Failure Count
Specifies the number of failed login attempts before the system locks out the user.
The number of failed authentication attempts allowed before an account is locked out. After a successful login, the failed login counter for the account is reset.
The default value is 0 (deactivated). The recommended value is 5.
A value of 0 deactivates this feature altogether.
If this feature is enabled (value greater than 0) and then is deactivated (value is 0), any accounts temporarily locked out is unlocked. However, any permanently locked accounts will stay locked.
Automatic Lockout Time Window
Specifies the time period in seconds for failed login attempts specified in the
Automatic Lockout Failure Countoption.
The time window during which the authentication attempt failure-count triggers a lockout. The time window starts from the date/time of the first failed login attempt for an account.
Recommended value is 900 seconds (15 minutes)
A value of 0 sets the time window to unlimited.
If the Automatic Lockout Time Window is set to unlimited (a value of 0), and the user hits the Automatic Lockout Failure Count number of failed logins over any time period (without a successful login), the account is locked.
After the Automatic Lockout Time Window period passes, the failed login attempt counter on the account is reset to 0.
Automatic Lockout Duration
Specifies the temproray lockout period of an account if a user has crossed the number of failed login attempts specified in the
Automatic Lockout Failure Countoption.
The duration for which an account is locked out.
The recommended value is 900 seconds (15 minutes)
A value of 0 locks the account permanently.
If not permanent, after the specified duration has elapsed, the account is unlocked and a login can be attempted again.
To unlock a failed account:
If the lockout was temporary, wait until the Automatic Lockout Duration is over.
User can use the Forgot Password option to regenerate a new password in the user interface.
You can send new token in a new verification email from the User Accounts page. User can click the verification link from that email.
You can use the Unlock Account option in the User Accounts page for the user and unlock the account.
If the lockout is permanent (Automatic Lockout Duration is set to 0), toggle the Account Locked option on the User Accounts page table, or from the User Access page. Click Update Account to save the changes.
Enable Login Rate Limiting
When enabled, it prevents repeated attempts to login the account with invalid credentials. The Login Rate Limiting option is similar to the Automatic Account Lockout option and can be used in along with Automatic Account Lockout. The Login Rate Limiting option is used to throttle too many login attempts that occur with in a specified time window.
When enabled, the following options are displayed:
Enable Login Rate Limiting
Login Rate Limiting prevents repeated attempts at logging in to an account with invalid credentials.
Default value: deactivated.
Rate Limiting Time Window
The time window during which the authentication attempt failure-count triggers rate limiting.
The default value is 3600 seconds (one hour).
A value is 0 is unlimited (really 720 days behind the scenes).
The time window starts from the most recent failed login attempt, meaning that it keeps getting updated after every failed login attempt, which is different than how it works in Automatic Lockout Time Window.
Rate Limiting Timeout
Specifies how long a user must wait before attempting another authentication attempt after a failed authentication.
The default value is 10 seconds.
Use Rate Limiting Timeout Scaling
The Rate Limiting Timeout Scaling uses the Rate Limiting Timeout to increase the wait time for each failed authentication attempt, up to 24 hours. The initial 3 attempts are not rate-limited.
The default value deactivates the service.
This option is provided, if a non-malicious user attempts to login and mistyped their password will not be throttled in any way. It allows the first 3 failed attempts to happen without any throttling at all and then the time out starts to grow for every group of 3 failed attempts after that. It uses the Rate Limiting Timeout value for how much the timeout grows by.
To save your changes, click Update Authentication Provider.
Results
You can view the details of the authentication provider using the Users & Groups > Authentication Providers page. Click the three ellipses icon, and click More Details.