The foundation for your business
Fork me on GitHub
Re: [ledgersmb-users] Configuring the Security Settings (v 1.5.9)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ledgersmb-users] Configuring the Security Settings (v 1.5.9)

Hi Michael,

The below answers for (Password Duration) and (Session Lockout) are off the top of my head.
I'll double check later today and update if needed.

On 31/08/17 05:30, Michael Chinn wrote:

I'm configuring a new 1.5.9 install.  I tried to look for the answer in
the LedgerSMB manual but the manual from the website is for v1.3x... So.
While that manual is for 1.3, it is "generally" correct.
We are aware it needs to be updated but developer time has been focused on improving the stability of the software and fixing bugs.
We could really do with some help getting the documentation updated.
Ideally updating the documentation is best done by a user as us developers often overlook information the users want to see.
Under "Security Settings"

Password Duration: Is this days? minutes? seconds?  What is the default?
Password Duration should be in days.
And on initial user creation this is set very short ( 1 day from memory), However, once the user changes their password, the default is 365 days I believe.
Suggestion #1:
 Whatever the duration period is, place it next to the description along
with the default value. Like so:
 Password Duration, in Days (Default=2 days):
Agreed, the duration should be shown in the UI.
Also, the currently set value should be displayed, even if it is the default. (at the moment we only display a modified value)

 Session Lockout (Session Timeout): Is this minutes? seconds?  What is the default?.
This value is in minutes, and I can't remember what the default is. An hour or two most likely
Suggestion #2:
Whatever the duration period is, place it next to the description along
with the default value. Like so:
Session Lockout, in Minutes (Default=10 minutes):
Yep, once again, the units should be displayed, as should the "current" value, even if it's the default.

Suggestion #3 (for next release):

Enable the Sys Admin to disable the Password Duration altogether.  So
setting the Password Duration to "0" means that user passwords do not
The normal way to handle that is set an arbitrarily long Password Duration.
eg: 9999 (gives 27.4 years)

You could just replace the a "hard" password expiration with just a
180-day nag like this:

Your password is over 180 days old.  Please consider replacing the
current password with a newer one.

And, include a link/button that says:  "Disregard".  Which will stop the
nag for another 180 days.
While being able to simply nag may be OK for single user sites, it's extremely undesirable for multiuser and Web Facing sites.
That said, Erik may have some ideas about making this more configurable.

I'll arrange to get units added, and the default values displayed for the next release.
I've created issue #3109 to track that

Thanks for the reports

David G



users mailing list