Skip to main content

Security Policies

This article details the different security policy options in the Security menu, including password policies, account lockout policies, session duration settings, and multi-factor authentication (MFA) policies.

Introduction to security policies

Users with the System administrator or Security administrator role in the Brinqa Platform can define password, account lockout, session, and multi-factor authentication policies for Brinqa users.

To manage security policies, click Administration admin-button on the upper-right corner and under Security, select Security policies.

The security policies page shows the current settings for password policy, account lockout policy, session policy, and multi-factor authentication policy. You can modify these policies based on your company requirements.

Password policy

Password policy determines how to define a strong password, how frequent user passwords expire, and how many previous passwords to check for reuse. The following table details the password policy settings:

Table 1: Password policy settings

PolicyDescription
Minimum password strength requiredHow strong a password must be when users create passwords. Brinqa utilizes entropy to calculate password strength. Options include: Weak, Fair, Good, Strong, or Very strong. The default setting is Good.
Password expiryHow frequently user passwords expire and need to be reset. Options include: Never, One month, Two months, Six months, or One year. The default setting is Never.
Prevent password reuseSpecifies whether passwords can be reused and how many previous passwords the system checks for reuse. For example, selecting Last 3 would allow users to reuse a password other than the last three that they used. Options include: Never, Last 3, Last 5, Last 10, or Last 20. The default setting is Never.

How Brinqa calculates password strength

The Brinqa Platform determines password strength by measuring entropy, which quantifies unpredictability and complexity in bits with higher bit values indicating stronger passwords. This calculation is influenced by several factors, including the password's length, the diversity of character types used, and its overall randomness.

The Brinqa Platform takes the following factors into account when assessing the password strength of user accounts:

  • Length: Longer passwords have more possible combinations, enhancing strength.

  • Complexity: A mix of uppercase and lowercase letters, numbers, and special characters makes passwords harder to guess.

  • Common patterns: Strong passwords avoid common patterns (like "password123") or predictable sequences (such as "abcd1234").

Passwords are classified into five categories based on their entropy: Weak, Fair, Good, Strong, or Very Strong. The default minimum requirement for Brinqa users is "Good" to ensure a solid baseline of security.

To illustrate, the following table displays examples of passwords across the strength spectrum:

Table 2: Password strength examples

StrengthEntropy RangeExampleExplanation
Weak0 - 28.9 bitspasswordA common word and easily guessable password.
Fair29 - 35.9 bitspassword1!Adds a numeric value and a special character, but still common with no complexity.
Good36 - 60.9 bitsPassw0rd!23Mixes case and includes numbers and a special character. Could be enhanced by using a less common phrase.
Strong61 - 126.9 bitsY6f!2v9SdRandom, mixes case, and includes numbers and special characters. High complexity and very secure.
Very Strong127 bits - Double.MAX_VALUE4r8F!0$2v9Sd!Longer, highly random, mixes case, numbers, and special characters. Extremely secure and reflects the highest security level, nearly impervious to brute force attacks.
info

Double.MAX_VALUE refers to the maximum value that a double can represent, approximately 1.7976931348623157e+308. This indicates a significantly high upper limit for entropy bits, underscoring an extremely high level of security for passwords classified as "Very Strong."

Best practices for creating a strong password

Creating a strong password is crucial for securing your account. Here are some tips to help you create passwords that are both secure and manageable:

  • Length: Opt for at least 12 characters. Longer passwords are inherently more secure because they offer a greater number of possible character combinations, making them more difficult for attackers to guess or crack through brute force methods.

  • Complexity: Incorporate a mix of characters (uppercase, lowercase, numbers, and symbols). Complexity adds another layer of security by increasing the number of possible combinations for a password of a given length.

  • Avoid common info: Steer clear of easily guessable details like names or birthdays. Personal information and common words are often the first guesses in targeted attacks (also known as "social engineering attacks"). Attackers may use information found on social media or public records to guess your passwords.

  • Password managers: Utilize a password manager to generate and store complex passwords. Password managers can create strong, unique passwords for each of your accounts and securely store them, so you don't have to remember each one. This not only enhances security but also simplifies password management.

Modify a password policy

Users with the System administrator or Security administrator role can modify a password policy. To do so, follow these steps:

  1. Navigate to Administration admin-button > Security > Security policies.

  2. In the Password policy section, click the option associated with the policy.

  3. Select a new value and click Update.

Account lockout policy

Account lockout policy determines how to handle multiple failed login attempts by a user of the system. The following table details the account lockout policy settings:

Table 3: Account lockout policy settings

PolicyDescription
Maximum failed login attempts before lockingThe number of times a user can enter an incorrect password before their account is temporarily locked out of the system. Options include: No limit, Three, Five, or Ten. The default setting is No limit.
Failure reset interval (seconds)How many seconds before the failure count is reset. This option only appears if a maximum failed login attempt value has been set. The default setting is 600 seconds.
Account lockout duration (seconds)How many seconds before the account is unlocked. This option only appears if a maximum failed login attempt value has been set. The default setting is 600 seconds.

Modify an account lockout policy

Users with the System administrator or Security administrator role can modify account lockout policies. To do so, follow these steps:

  1. Navigate to Administration admin-button > Security > Security policies.

  2. In the Account lockout policy section, click the option associated with the policy.

  3. Select a new value and click Update.

note

The Failure reset interval and Account lockout duration settings only appear if the maximum failed login attempts before locking is not set to No limit.

Session policy

Session policy determines how to handle inactive user sessions. The following table details the session policy settings:

Table 4: Session policy settings

PolicyDescription
Session timeoutLength of time after which the system logs out inactive users. Options include: 15 minutes, 30 minutes, 1 hour, 2 hours, 4 hours, 8 hours, 12 hours, 24 hours, or a custom length of time. Choose a shorter timeout if you want to enforce stricter security controls. The default setting is 15 minutes.
Force logout on session timeoutWhether to enforce that current sessions become invalid when the user is inactive for some time. The browser refreshes and returns to the login page. The user must log in again to access the Brinqa Platform. The default setting is Disabled.

Modify a session policy

Users with the System administrator or Security administrator role can modify session policies. To do so, follow these steps:

  1. Navigate to Administration admin-button > Security > Security policies.

  2. In the Session policy section, click the option associated with the policy.

  3. Select a new value and click Update.

Multi-factor authentication policy

MFA policies determine if users with certain roles must use MFA when logging in to the Brinqa Platform. The following table details the MFA policy settings:

Table 5: Multi-factor authentication policy settings

PolicyDescription
Enforce users with rolesThe roles required to use MFA to log in to the Brinqa Platform. Options include: Administrator, Configurator, Risk analyst, Security administrator, System administrator, or Users. The default setting is None.

Enforce multi-factor authentication

Enhance security in the Brinqa Platform by mandating MFA for specific roles. Users with the System administrator or Security administrator role can enforce MFA, adding an additional layer of protection. To enforce MFA, follow these steps:

  1. Navigate to Administration admin-button > Security > Security policies.

  2. In the Multi-factor Authentication Policy section, click None if setting up MFA for the first time, or select the current roles if revising the policy.

  3. Click the Roles drop-down, select the roles to enforce MFA, and then click Update.

A confirmation message appears, indicating the successful application of the MFA settings.

Users assigned to these roles must set up MFA at their next login. This involves scanning a QR code using their organization's designated authenticator app, such as Okta, Authy, or Google Authenticator. After the initial MFA setup, users must log in to the Brinqa Platform using both their credentials and the authenticator code generated by their authenticator app.