There are a number of security features in Citizen Space and some are configurable to meet your organisation's requirements. This article details what some of those features are and the options available.
Configurable password policy
We can set:
- Minimum character limits
- For the password to require certain characters
- And for it to avoid specific words (such as 'password')
We can also configure the on-screen help text and the validation-error message text to meet what you'd like it to say. If you'd like to have a specific password policy applied, have a read of our more detailed article about it then get in touch with your account manager to let them know the password policy you would like set up on your site.
Log in back-off:
This is a security setting which should allow genuine users into Citizen Space, but helps in preventing brute force attacks on the log in page. It allows you to tell us the number of consecutive attempts which can be made at logging in to your site and, once those are used up, we can set a back-off period between each further log in attempt.
If you would like this enabled, get in touch with your account manager to let them know:
- How many consecutive initial attempts should be allowed to be made at log in on your site
- What time blocks (in minutes) you want us to apply between each further log in attempt
An example of this might be:
After 7 initial attempts, we'd like a back-off of 5 minutes before the next log in attempt is allowed, then 10 minutes for the one after that, then 60 minutes, then 360 minutes, then 1440 minutes.
In this example, every ongoing attempt after that final one will have a 1440 minute wait between them.
Things to know:
If you decide to have this enabled and one of your genuine users hits the back-off limit, they can use the 'forgotten password' link to reset their password, which will allow them in once they have used the password reset link correctly.
If back-off is enabled then it will also alert a user via email if a back-off limit has been hit using their email address, this email will also tell them when they are next able to log in. If it wasn't them trying to get in, then it serves as a prompt for them to take preventative action such as resetting their password.
The back-off will only apply if a correct user email address has been used, so - for security - no message appears on screen when a back-off has been hit, only the notification email mentioned above is sent.
Users who are getting their email address wrong won't experience a back-off limit. Citizen Space shows the message "Sorry, log in failed. Your email address and password are both case sensitive, please check that caps lock is off" for any attempt involving an incorrect email address or password.
Security email notifications
We've built some additional notifications into Citizen Space to let users know when security events occur on their account. These will notify admin account holders when:
- The log in back-off has been triggered for their account (NB: this notification will be enabled automatically if log in back-off has been turned on for your site)
- Their password or email address has been changed on their Citizen Space profile
Should other people in the organisation need oversight on these events across the site, too, we can add additional recipients so they will receive these emails as well as the account holder.
Get in touch with your account manager if you would like these notifications enabled and if you have any other colleagues who may need to receive them as well.
Password reset date on export
There is now an additional column on the Users export which has the date and time each user's password was last reset. This allows site administrators to have oversight on when passwords are being changed and how frequently. It allows greater control should you have a password rotation policy you wish to enforce.
If the field for password reset date is blank it means the user last reset it before June 2018, (when this new column first appeared on the 'Users' export), so dates will only be included in the field when users begin changing their passwords after that point.