Locations:
- GEGI system
Users with the following permissions:
- All users and students
Case:
Using the same account password for a long time is not safe (according to NIST 3.5.8).
Problem:
Passwords in GEGI are not expiring and users do not have to change it regularly. This does not comply with cybersecurity requirements.
Solution:
Added a regular password change to GEGI as well as validation for the new password being different from the previous ones.
A few days prior to the password change date users receive an email notification.
Furthermore, the system suggests changing the password each time the users log in to GEGI.
Before the due date, the users may skip the password change and proceed with the old one:
The password change becomes a requirement after the due date:
Note: You can read more about the password requirements in the following article: GEGI user/student accounts security.
After changing the password, the user receives a confirmation email:
The automatic password change can be configured for users and students separately:
- Password Expiration Period, months - how frequently the passwords should be changed (every 6 months by default).
- Notify Before the Password Expires, days - the users get notified about the password change this number of days before the password expiration date (7 days by default).
- Number of Passwords Generations that Cannot be Reused - how many times the user must choose a unique new password before any of the previous passwords can be used again (5 unique passwords by default).
- Period for Which Passwords Cannot be Reused, months - how much time should pass between using the same password again (12 months by default).
Available since GEGI v4.14.0 (view release notes)