Index | Prev | Next

Strong password notes

Strong passwords are always recommended for NiagaraAX station users, and in AX-3.8 improvements were made in this area. See the following for more details:

Password Strength (AX-3.8)

Starting in AX-3.8, the definition of strong passwords for station users is configurable in each station. A new “Password Strength” container slot in the UserService holds configuration properties you can adjust as needed. This slot effectively replaces the former “Require Strong Passwords” slot.

Figure 283. Password Strength properties in AX-3.8 UserService property sheet


Password Strength properties in AX-3.8 UserService property sheet

Password strength values shown above reflect the “default” strong password rules, as enforced by the “New Station” wizard in Workbench (from menu bar, Tools->New Station). These defaults are a minimum 10 character password, using at least 1 upper case, 1 lower case, and 1 digit (numeral), but no special characters. This wizard does not complete without a valid password for the “admin” user.

Once the wizard completes, you can adjust the station’s password strength properties as needed. If changed in a station, any future password change for any station user (including the “admin” user) requires the minimum values specified in those properties.

Password Strength properties are as follows:

  • Minimum Length

    Minimum total required characters for a station password, where 10 is the default.

  • Minimum Lower Case

    Minimum alphabetic lower case characters (a-z) in a station password, where 1 is the default.

  • Minimum Upper Case

    Minimum alphabetic upper case characters (A-Z) in a station password, where 1 is the default.

  • Minimum Digits

    Minimum numerals (0-9) in a station password, where 1 is the default.

  • Minimum Special

    Minimum “non-alphanumeric” characters in a station password, where 0 (none) is the default. This includes punctuation and symbols (e.g. among others “!”, “@”, “#”, “$”, “%”, “&”, space).

NoteAlthough “Password Strength” properties allow reducing password strength (e.g. entering 0s in values), it is strongly recommended to retain a level of password strength similar to the “default” level, if not greater. For example, you may wish to require at least one (1) “special” and at least two (2) upper case characters. For related details, see Stronger passwords.

Password entry dialog improvements

Starting in AX-3.8, improvements in station password entry dialogs were made that correspond to a station’s configured “Password Strength” criteria. Examples include error popups that can appear when using the “New Station” wizard in Workbench (when specifying the password for the built-in “admin” user), as shown in Figure 284.

Figure 284. Example error dialog in AX-3.8 Workbench “New Station” wizard


Example error dialog in AX-3.8 Workbench “New Station” wizard

Similar error dialogs can appear when changing a user’s password when online with the station, whether using Workbench or browser access. If you specify a station’s Password Strength from defaults, note that the station’s current password strength criteria appears in these type of error popups.

The needed password criteria also applies to any user with a subsequent password reset or expired password.

For example, say you modify “Password Strength” properties from defaults to require a minimum of 12 characters, 2 upper case characters, and 1 special character. You then set a user’s password to reset at next login (Password Configuration, Force Reset At Next Login = true).

When that user accesses the system, after entering their current credentials they see the new password requirements, as shown in Figure 285.

Figure 285. Example password strength criteria seen when user must reset their password (AX-3.8)

Browser access example Workbench access example

Example password strength criteria seen when user must reset their password (AX-3.8)

Example password strength criteria seen when user must reset their password (AX-3.8)

For related details, see the following sections:

Require Strong Passwords (AX-3.7)

In AX-3.7 (and earlier NiagaraAX releases), the UserService has a single Boolean property to either enable or disable requiring strong passwords for station users, as shown in Figure 286.

Figure 286. Require Strong Passwords property in AX-3.7 station’s UserService


Require Strong Passwords property in AX-3.7 station’s UserService

In AX-3.7, the default value for this property has always been true (and is strongly recommended). Note the NiagaraAX definition of “strong passwords” is fixed in AX-3.7 (and earlier releases), where a station user’s strong password must meet these barest minimum requirements:

  • Minimum of 8 characters

  • Characters can include letters (a—z, A—Z), digits (numerals 0—9), and symbols (e.g. among others “!”, “@”, “#”, “$”, “%”, “&”, space), but cannot be either:

    • all letters (e.g. abcdefgh or BadIdeas do not qualify), or

    • all digits (e.g. 12345678 does not qualify)

    For example, the following passwords meet minimum requirements:

    • abcd1234 (contains letters and digits)

    • abcdefg$ (contains letters and symbol)

    • !2345678 (contains symbol and digits)

  • Cannot be identical to station name!

See the Stronger passwords section for guidelines on using strong passwords.

If among UserService properties, the “Required Strong Passwords” property is true, any subsequently entered station password that does meet the requirements above is not accepted—instead an error dialog appears, explaining a password violation.

NoteChanging this to true does not immediately force users with weak passwords to change to strong passwords. Only when such a user changes their password will a strong password be necessary.

Stronger passwords

Note even “stronger” password guidelines are encouraged (especially in an AX-3.7 station enabled for strong passwords), where the following general password concepts should be followed:

  • Use a mix of UPPER and lower case (cAsE SensItiVe) letters.

  • Don’t use any part of the user account name in a password. For example, if the user account name is ScottF, then ScottF! or ScottF123 are not good ideas (even though the last is considered “strong” in AX-3.7).

  • Don’t use birthday year in a password, for example James1971.

  • Don’t use password in a password (password1 as one example of a very unsafe “strong” password in AX-3.7). Or, Password1234 as an example of an unsafe “default” strong password in AX-3.8.

  • Avoid use of dictionary words, as they are commonly used by “brute force” hacking applications.

  • Use characters that require typing with both hands, which helps protect against somebody watching you type your password on a keyboard.

  • Consider a string of words or nonsensical phrase that you can easily remember, yet would be difficult to guess. For example: Correct Horse Battery Staple #11

Remember, a good password is easy for a user to remember, yet difficult for an attacker to guess.

Index | Prev | Next

Copyright © 2000-2016 Tridium Inc. All rights reserved.