Security Policies
This article details the different security policy options in the Security menu, including password policies, account lockout policies, session duration settings, and multi-factor authentication (MFA) policies.
Introduction to security policies
Users with the System administrator or Security administrator role in the Brinqa Platform can define password, account lockout, session, and multi-factor authentication policies for Brinqa users.
To manage security policies, click Administration 
on the upper-right corner and under Security, select Security policies.
The security policies page shows the current settings for password policy, account lockout policy, session policy, and multi-factor authentication policy. You can modify these policies based on your company requirements.
Password policy
Password policy determines how to define a strong password, how frequent user passwords expire, and how many previous passwords to check for reuse. The following table details the password policy settings:
Table 1: Password policy settings
| Policy | Description |
|---|---|
| Minimum password strength required | How strong a password must be when users create passwords. Brinqa utilizes entropy to calculate password strength. Options include: Weak, Fair, Good, Strong, or Very strong. The default setting is Very Strong. |
| Password expiry | How frequently user passwords expire and need to be reset. Options include: Never, One month, Two months, Six months, or One year. The default setting is Never. |
| Prevent password reuse | Specifies whether passwords can be reused and how many previous passwords the system checks for reuse. For example, selecting Last 3 would allow users to reuse a password other than the last three that they used. Options include: Never, Last 3, Last 5, Last 10, or Last 20. The default setting is Last 10. |
How Brinqa calculates password strength
The Brinqa Platform determines password strength by measuring entropy, which quantifies unpredictability and complexity in bits with higher bit values indicating stronger passwords. This calculation is influenced by several factors, including the password's length, the diversity of character types used, and its overall randomness.
The Brinqa Platform takes the following factors into account when assessing the password strength of user accounts:
-
Length: Longer passwords have more possible combinations, enhancing strength.
-
Complexity: A mix of uppercase and lowercase letters, numbers, and special characters makes passwords harder to guess.
-
Common patterns: Strong passwords avoid common patterns (like "password123") or predictable sequences (such as "abcd1234").
Passwords are classified into five categories based on their entropy: Weak, Fair, Good, Strong, or Very Strong. The default minimum requirement for Brinqa users is "Good" to ensure a solid baseline of security.
To illustrate, the following table displays examples of passwords across the strength spectrum:
Table 2: Password strength examples
| Strength | Entropy Range | Example | Explanation |
|---|---|---|---|
| Weak | 0 - 28.9 bits | password | A common word and easily guessable password. |
| Fair | 29 - 35.9 bits | Pass1234! | Adds a capital letter, numeric values, and a special character, but still a common phrase with no complexity. |
| Good | 36 - 60.9 bits | 4r8F!0$2v9Sd | A randomized password with mixed case, numbers, and special characters. Secure, but could be enhanced with more characters. |
| Strong | 61 - 126.9 bits | Z8f!L0$rF9vSd! | Longer, random, mixes case, and includes numbers and special characters. High complexity and very secure. |
| Very Strong | 127 bits - Double.MAX_VALUE | Tm9x!3Lq5$z8Vf7!Qr2XK4Yp7@9$Df3! | Exceptionally long, highly random, combines mixed case, numbers, and special characters. This ensures the highest level of security by maximizing entropy, making the password nearly impervious to brute force attacks. |
Double.MAX_VALUE refers to the maximum value that a double can represent, approximately 1.7976931348623157e+308. This indicates a significantly high upper limit for entropy bits, underscoring an extremely high level of security for passwords classified as "Very Strong."
Best practices for creating a strong password
Creating a strong password is crucial for securing your account. Here are some tips to help you create passwords that are both secure and manageable:
-
Avoid common info: Steer clear of easily guessable details like names or birthdays. Personal information and common words are often the first guesses in targeted attacks (also known as "social engineering attacks"). Attackers may use information found on social media or public records to guess your passwords.
-
Complexity: Incorporate a mix of characters (uppercase, lowercase, numbers, and symbols). Complexity adds another layer of security by increasing the number of possible combinations for a password of a given length.
-
Length: Opt for at least 12 characters. Longer passwords are inherently more secure because they offer a greater number of possible character combinations, making them more difficult for attackers to guess or crack through brute force methods.
-
Password managers: Utilize a password manager to generate and store complex passwords. Password managers can create strong, unique passwords for each of your accounts and securely store them, so you don't have to remember each one. This not only enhances security but also simplifies password management.
Modify a password policy
Users with the System administrator or Security administrator role can modify a password policy. To do so, follow these steps:
-
Navigate to Administration
> Security > Security policies. -
In the Password policy section, click the option associated with the policy.
-
Select a new value and click Update.
Account lockout policy
Account lockout policy determines how to handle multiple failed login attempts by a user of the system. The following table details the account lockout policy settings:
Table 3: Account lockout policy settings
| Policy | Description |
|---|---|
| Maximum failed login attempts before locking | The number of times a user can enter an incorrect password before their account is temporarily locked out of the system. Options include: No limit, Three, Five, or Ten. The default setting is 5. |
| Failure reset interval (seconds) | How many seconds before the failure count is reset. This option only appears if a maximum failed login attempt value has been set. The default setting is 600 seconds. |
| Account lockout duration (seconds) | How many seconds before the account is unlocked. This option only appears if a maximum failed login attempt value has been set. The default setting is 600 seconds. |
Modify an account lockout policy
Users with the System administrator or Security administrator role can modify account lockout policies. To do so, follow these steps:
-
Navigate to Administration
> Security > Security policies. -
In the Account lockout policy section, click the option associated with the policy.
-
Select a new value and click Update.
The Failure reset interval and Account lockout duration settings only appear if the maximum failed login attempts before locking is not set to No limit.
Session policy
Session policy determines how to handle inactive user sessions. The following table details the session policy settings:
Table 4: Session policy settings
| Policy | Description |
|---|---|
| Session timeout | Length of time after which the system logs out inactive users. Options include: 15 minutes, 30 minutes, 1 hour, 2 hours, 4 hours, 8 hours, 12 hours, 24 hours, or a custom length of time. Choose a shorter timeout if you want to enforce stricter security controls. The default setting is 15 minutes. |
| Force logout on session timeout | Whether to enforce that current sessions become invalid when the user is inactive for some time. The browser refreshes and returns to the login page. The user must log in again to access the Brinqa Platform. The default setting is Disabled. |
Modify a session policy
Users with the System administrator or Security administrator role can modify session policies. To do so, follow these steps:
-
Navigate to Administration
> Security > Security policies. -
In the Session policy section, click the option associated with the policy.
-
Select a new value and click Update.
Multi-factor authentication policy
MFA policies determine if users with certain roles must use MFA when logging in to the Brinqa Platform. The following table details the MFA policy settings:
Table 5: Multi-factor authentication policy settings
| Policy | Description |
|---|---|
| Enforce users with roles | The roles required to use MFA to log in to the Brinqa Platform. The default roles required to use MFA include: Administrator, Data exporter, Remediation owner, Risk analyst, Risk owner, Security administrator, and User. |
Enforce multi-factor authentication
Enhance security in the Brinqa Platform by mandating MFA for specific roles. Users with the System administrator or Security administrator role can enforce MFA, adding an additional layer of protection. To enforce MFA, follow these steps:
-
Navigate to Administration
> Security > Security policies. -
In the Multi-factor Authentication Policy section, click None if setting up MFA for the first time, or select the current roles if revising the policy.
-
Click the Roles drop-down, select the roles to enforce MFA, and then click Update.
A confirmation message appears, indicating the successful application of the MFA settings.
Users assigned to these roles must set up MFA at their next login. This involves scanning a QR code using their organization's designated authenticator app, such as Authy, Google Authenticator, or Okta. After the initial MFA setup, users must log in to the Brinqa Platform using both their credentials and the authenticator code generated by their authenticator app.