Configuring the Security Settings (v 1.5.9)
Greetings, I'm configuring a new 1.5.9 install. I tried to look for the answer in the LedgerSMB manual but the manual from the website is for v1.3x... So. Under "Security Settings" Password Duration: Is this days? minutes? seconds? What is the default? Suggestion #1: Whatever the duration period is, place it next to the description along with the default value. Like so: Password Duration, in Days (Default=2 days): Session Lockout: Is this minutes? seconds? What is the default?. Suggestion #2: Whatever the duration period is, place it next to the description along with the default value. Like so: Session Lockout, in Minutes (Default=10 minutes): Suggestion #3 (for next release): Enable the Sys Admin to disable the Password Duration altogether. So setting the Password Duration to "0" means that user passwords do not expire. You could just replace the a "hard" password expiration with just a 180-day nag like this: Your password is over 180 days old. Please consider replacing the current password with a newer one. And, include a link/button that says: "Disregard". Which will stop the nag for another 180 days. Thanks! Regards, Michael -- ====================== Michael Chinn Miguel.Chinn@Gmail.com ~ ~~ ~ ~ o:)^))>~< <;)^)))>~< ~ ~ ~~ ~ <:)^)))>~< <;)^)>~< ~~ ~~~ ~ ~ ~ o:)^)))>-< <;)^))>~< ~ ~~ ~~ ~~ ~ o;)^))>-< <:)^))>~< ~~ ~ ~o:)^))>~<
David, Thanks for the info! Michael On 08/30/2017 06:24 PM, David G wrote:
Hi Michael,
The below answers for (Password Duration) and (Session Lockout) are off the top of my head. I'll double check later today and update if needed.
On 31/08/17 05:30, Michael Chinn wrote:
Greetings,
I'm configuring a new 1.5.9 install. I tried to look for the answer in the LedgerSMB manual but the manual from the website is for v1.3x... So. While that manual is for 1.3, it is "generally" correct. We are aware it needs to be updated but developer time has been focused on improving the stability of the software and fixing bugs. We could really do with some help getting the documentation updated. Ideally updating the documentation is best done by a user as us developers often overlook information the users want to see. Under "Security Settings"
Password Duration: Is this days? minutes? seconds? What is the default? Password Duration should be in days. And on initial user creation this is set very short ( 1 day from memory), However, once the user changes their password, the default is 365 days I believe. Suggestion #1: Whatever the duration period is, place it next to the description along with the default value. Like so: Password Duration, in Days (Default=2 days): Agreed, the duration should be shown in the UI. Also, the currently set value should be displayed, even if it is the default. (at the moment we only display a modified value)
Session Lockout (Session Timeout): Is this minutes? seconds? What is the default?. This value is in minutes, and I can't remember what the default is. An hour or two most likely Suggestion #2: Whatever the duration period is, place it next to the description along with the default value. Like so: Session Lockout, in Minutes (Default=10 minutes): Yep, once again, the units should be displayed, as should the "current" value, even if it's the default.
Suggestion #3 (for next release):
Enable the Sys Admin to disable the Password Duration altogether. So setting the Password Duration to "0" means that user passwords do not expire. The normal way to handle that is set an arbitrarily long Password Duration. eg: 9999 (gives 27.4 years)
You could just replace the a "hard" password expiration with just a 180-day nag like this:
Your password is over 180 days old. Please consider replacing the current password with a newer one.
And, include a link/button that says: "Disregard". Which will stop the nag for another 180 days. While being able to simply nag may be OK for single user sites, it's extremely undesirable for multiuser and Web Facing sites. That said, Erik may have some ideas about making this more configurable.
I'll arrange to get units added, and the default values displayed for the next release. I've created issue #3109 <https://github.com/ledgersmb/LedgerSMB/issues/3109> to track that
Thanks for the reports
Regards David G
Thanks!
Regards, Michael
_______________________________________________ users mailing list users@lists.ledgersmb.org https://lists.ledgersmb.org/mailman/listinfo/users
-- ====================== Michael Chinn Miguel.Chinn@Gmail.com ~ ~~ ~ ~ o:)^))>~< <;)^)))>~< ~ ~ ~~ ~ <:)^)))>~< <;)^)>~< ~~ ~~~ ~ ~ ~ o:)^)))>-< <;)^))>~< ~ ~~ ~~ ~~ ~ o;)^))>-< <:)^))>~< ~~ ~ ~o:)^))>~<
participants (2)
-
David G -
Michael Chinn