Overview
In order to meet your organization's or member's security requirements for things related to complex passwords, lockout policies, two-factor authentication (2FA), multi-factor authentication (MFA), and session termination, you need to know if Lyris LM can support various features such as password length, age, history, or strength, how failed logins are handled, and whether sessions terminate after a period of inactivity.
Prerequisites
- You are using ListManager version 11.3 or higher
Information
Password Security
Enforce Secure Passwords
You can enforce a secure password policy that requires all passwords to be very safe. The secure password policy requires that all passwords are at least 8 characters long and include at least one:
- Uppercase letter (A-Z)
- Lowercase letter (a-z)
- Number (0-9)
- Special character (!@#$...)
When you enforce the secure password policy, existing passwords will remain the same. The policy will be enforced when you create a new user or change a user's password.
To Enforce the Secure Password Policy
- Open your
lmcfg.txt
file and add the following line:$enforce_secure_passwords="true";
- Windows:
C:\Program Files\ListManager\lmcfg.txt
- Linux:
~/ListManager/bin/lmcfg.txt
- Windows:
Password Policies Not Currently Supported
- Minimum password age
- Maximum password age
- Password history
- Maximum repeated characters in a password
- One-time password for account creation
- One-time password for password resets
- Two-Factor Authentication (2FA)
- Multi-Factor Authentication (MFA)
Login Security
To accommodate the increasing requirements for login security, ListManager has switched to a form-based login in order to enable true login sessions. The previous HTTP Authentication method provided no mechanism for truly logging out; the current version allows server administrators to set time-out periods that require users who have been idle for a sufficiently long time to sign in again in order to re-authenticate. Additionally, users can be forced to re-authenticate when their sessions expire.
The following settings can be found in Utilities > Administration > Server > Server Settings
- Session Logins Enabled: By default, this is set to yes, which is the preferred setting. Selecting no causes ListManager to use "basic" authentication, which was the authentication used in versions prior to 10.0
- Session Idle Timeout (minutes): The amount of time you can go without clicking something in ListManager before your session times out, requiring you to log in again
- Session Max Lifetime (minutes): The maximum length of a session, in minutes. This setting can prevent someone who "steals" your session cookie from having long-term access using that cookie; therefore, when choosing a maximum session length, your goal should be a time period that is comfortably long enough for you while not being so overly long that it diminishes security
- Session Login URL: The URL to the web page/form that processes your login. The default should be sufficient; however, you can change it if you want to customize the look and feel of the login page.
- SSL Disabled Warning: If the server has SSL disabled, this is the message that is shown on the login screen as a warning to users that their login is not secure/protected. This is optional; by default, there is no message.
Login Policies Not Currently Supported
- Lock account after n failed logins
- Failed logins lock count
- Failed logins lock counter
- Failed logins account lock duration
- Stale account lock
Custom Security Solutions
If, for any reason, the security policies currently offered by Lyris LM do not meet your organization's requirements, please contact our Professional Services Team who can build a custom solution as a billable service.