6.2.5.1 Set Lockout Feature
To set the lockout feature:
- From the Tasks menu, in the Administration module, select Users.
The Administer Users page opens. - Click the Lockout Configuration link.
The Lockout Configuration page opens: - To activate the lockout feature, set the Lockout Enabled value to TRUE.
- For the # of Failed Attempts, enter a value between 1 and 25.
- Click Submit.
The system displays a confirmation message.
OpenClinica tracks the number of consecutive failed login attempts. After that number equals the value specified for the # of Failed Attempts, the user cannot log in to OpenClinica. For the user to regain access to OpenClinica, an administrator must unlock the user’s account in the Administer Users interface.
6.2.5.2 Unlock a Locked-Out User
If a user fails to log in successfully more than the allowed number of times as specified via the lockout feature, you must unlock the user account using the Administration module. To unlock a user account:
- From the Tasks menu, in the Administration module, select Users.
The Administer Users page opens. - Click the Unlock icon in the Actions column for the user whose account you want to unlock.
The user account is unlocked. The unlock icon no longer appears in the Administer Users table. - The user can log in to OpenClinica again using the new, temporary password sent to the user’s email account.
6.2.5.3 Additional Password Configuration Options
You can also specify these configuration options for managing user passwords in the datainfo.properties file:
- The default method for how a user receives their password, either via email or from the business administrator.
- If a user must change their password on the first log in.
- If a user’s password should expire, and if so, the length of time until it expires.
For details, see Configuring the OpenClinica Application.
6.2.5.4 Configure Password Requirements
Starting with OpenClinica 3.1.3, in the Administration module, the Configure Password Requirements page allows an administrator to configure the password policy for your OpenClinica system. A password policy that forces users to use strong passwords makes your system less vulnerable to bruteforce attacks that try to guess a user’s password.
To access the Configure Password Requirements page, from the Tasks menu, in the Administration module, select Users, then Configure Password Requirements.
In the Configure Password Requirements, you can define the values for the following options:
- Minimum length: minimum number of characters a password may contain. If this value is set to zero or any negative number, OpenClinica will not check the minimum length of the user’s password. However, disabling the minimum password length does not allow an user account to have no password – in this case valid password consists of at least one character.
- Maximum length: maximum number of characters a password may contain. If this value is set to zero or any negative number, OpenClinica will not check the maximum length of the user’s password.
- Passwords must contain: Specifiy types of characters that must be present in a password. The character types groups are Lower Case Characters, Upper Case Characters, Digits and Special Characters. The following characters are considered special characters: ! @ # $ % & * ( )
- User is required to change password (after first login): Should the user be forced to change his password upon first login to OpenClinica. When OpenClinica creates a user account, a password is generated and sent via email to the email address configured in the user’s account or shown to the administrative user who created the account. This setting is used to ensure the user won’t be able to use the system-generated password after the first login. A change in this configuration will be effective only after restarting the OpenClinica application server.
- Password expiration time (in days): Number of days after a password is set to be considered expired. Once a user authenticates to OpenClinica and their password is expired, the system will prompt the user to change their password. If this value is set to zero or any negative number, OpenClinica never consider a user’s password expired. A change in this configuration will be effective only after restarting the OpenClinica application server.