Starting in AX-3.7, station user security was enhanced by a password expiration mechanism, to require users to periodically change their login password. Usage is optional, but recommended. Independently, you can also selectively configure any user to reset (change) their password upon next login.
-
Note in AX-3.8, a user with a password about to expire (or a password set to reset) must enter a new password that meets the UserService’s minimum “Password Strength” criteria. The login dialog for the user clearly specifies this criteria. For related details, see Password Strength (AX-3.8) and Password entry dialog improvements.
-
In AX-3.7, if the UserService’s “Require Strong Passwords” property is true (the default), the user must enter a strong password. For related details, see Require Strong Passwords (AX-3.7).
-
Finally, in some cases a password change upon login attempt may not succeed. This can happen to any “network user” that is not logging into the “source station”—typically the Supervisor. Starting in AX-3.7u1, such an unsuccessful password reset results in a message that tells the user that they must log into the station that does centrally manage their user account, and reset their password there. For related details, see Network users.
For more details, see the following sections which apply to AX-3.7 and later stations:
-
Password history (unique passwords) — applies to both password expiration and password reset
At some specified interval, a user in a AX-3.7 or later station can be periodically prompted to change their password at login, to avoid expiration of their user account. This applies whether the user is opening a station connection from Workbench or accessing the station from a browser.
Details are in the following sections:
Configuring password expiration involves two separate areas:
-
“Global” properties of a “Password Configuration” slot directly under the station’s UserService.
These global password configuration properties are as follows:
-
Expiration Interval
Specifies the repeating interval for password expiration. At the time of this document update, the default is 1 year (365 days). Often, this is configured for a shorter interval, for example 90 days. This interval applies to any users configured for periodic password expiration.
-
Warning Period
Specifies the time before a user’s password expires that is a “warning period”, with a default of 30 days. During this period, any station login by the user produces a popup warning about the upcoming expiration, and offers the user a choice to reset (change) their password.
Any user that allows their password to expire will be unable to login to the station! Users need to be cautioned about this, as this differs from other some other systems. See the related Caution.
-
Password History Length
At the time of this document update, the default is 0 (no effective password history); the maximum value is 10. Any positive non-zero value (1, 2, 3, etc.) means a user with an expiring password cannot simply re-enter the identical last (1) password, or one of the last (2) passwords, and so on. Instead, the user is prompted to enter a password unique from any of these passwords. This setting also applies to a “password reset” given to any user—e.g. a user with Password Configuration of “Never Expires”.
For improved security, change this from the default (0) to at least 1 or 2.
See Password history (unique passwords) for more details on this feature.
-
-
Each User has a Password Expiration property, editable in the User Manager (Figure 275).
Each User has another “Expiration” property, which has a different application completely. Always leave it at “Never Expires”,
except in the case of a temporary user account.
Default is “Never Expires” (no periodic password expiration for this user). Change to “Expires On” and enter a date in the future to configure a user for automatic password expiration.
If creating a user with an expiring password, typically you set the “Force Password Reset” property, also shown in Figure 275 above, to true. Then, when that user first logs in, they are prompted to change their password, where after successful entry their password expiration date is reset to the full (global) expiration interval.
These two properties are actually in a separate “Password Configuration” container under each user, visible in a User’s property sheet (Figure 275).
As shown above, these properties appear on a User’s property sheet listed as “Force Reset At Next Login” and “Expiration”. They are the same properties seen from the User Manager, as shown in Figure 274
The user account used for station-to-station NiagaraNetwork connections (service user) should have a password configuration
of “never expires”, and never forced to password reset (although you should not use this account for user login anyway). However,
it is strongly encouraged to have a local policy to periodically change the password for these (service) user accounts.Any
(person) user that allows their password to expire will be unable to login to the station! A system administrator must change that user’s “Password Configuration, Expiration” date to allow them to
regain access. Users need to be cautioned about this, as this differs from account expiration in some other systems.
A user with an expiring password (in the “warning period”) sees a related message when opening a station from a browser (Figure 276) or from Workbench (Figure 277).
Again, any user that allows their password to expire will be unable to login to the station! Users need to be cautioned about this, as this differs from other some other systems. A system administrator
must change a user’s “Password Configuration, Expiration” date to re-allow access—see Figure 275.
Upon a user’s password change, the globally-defined expiration interval (say 90 days) for that user is reset, as well as the globally-defined warning period (say 30 days before expiration), and this cycle repeats.
Coupled with expiring passwords, you also typically configure to prevent reuse of the previous password(s). See Password history (unique passwords).
Independent from the automatic “password expiration” mechanism, you can force a “password reset” on any user, including one configured to “never expire”. At the user’s next login to the station, they are prompted to change their password.
As shown in Figure 278 above, this appears in the New/Edit dialog for each user in the User Manager. Note this is the same property “Force Reset At Next Login” as seen in the Password Configuration container under each User component (see Figure 275).
In the original AX-3.7 release, by default when using the User Manager to create a new user, “Force Password Reset” was set to true. (This default changed starting in AX-3.7u1 and AX-3.8 to false.) In either case, if you wish to change this behavior, change this property in the “Default Prototype” under the UserService. For more details, see Default Prototype.
You can initiate this reset for any user(s) from the User Manager, by selecting the user(s) and clicking the button to access the Edit dialog. This dialog includes the “Force Password Reset” entry, which by default is true. Or, do this from the property sheet of a User by expanding their “Password Configuration” container to access this same
property (see Figure 275).
Again, coupled with password reset you also typically configure to prevent reuse of the previous password(s). See Password history (unique passwords).
Figure 279 shows an example of how a password reset appears when accessing the station from a browser.
As shown above (left side), if an AX-3.8 station, the effective “password strength” rules are given. If an AX-3.7 station enabled for strong passwords, the standard “fixed” strong password rules are shown.
Figure 280 shows how a password reset appears when opening the station in Workbench.
For related details, see Strong password notes.
After the user’s subsequent password change, their “Force Reset At Next Login” property (Force Password Reset) returns to
false. If the user is also configured for periodic password expiration, their expiration deadline is reset to the full period.
In certain scenarios where a leaked password is suspected, or the system security has been compromised, you may wish to reset
the passwords of multiple users. You can do this from the User Manager view, using a “gang edit” of multiple selected users, changing the “Force Reset Password” entry to true.
When users’ station passwords are changed in an AX-3.7 or later station, you can require the new password to be unique from the previous one, two, or three (and so on) entered passwords for each account. This is specified in a globally-defined “Password History Length” property, under the UserService’s “Password Configuration” container slot (see Figure 273).
The default value of this property is “0”, which permits the reuse of the current password. However, it is recommended you set this to at least 1 or 2, especially if users are configured for periodic password expiration, or if you use the password reset feature on any user. The maximum value is 10.
Figure 281 shows an example popup Error dialog from an attempt to save a password that was changed to a previously used value, as edited on a User property sheet.
After clicking OK to close the popup, the password remains at the same value as before the edit. The password change can be
retried with another value, which must be unique from the previous one (at a minimum). Note that the station tracks n number of password values for each user, where n equals the “Password History Length” value. Any password change attempt is compared against tracked password value(s), with
the save rejected if found to be a match.