Note: Access to these security features is exclusive to clients utilizing a Powered By Cyturus (PBC) instance, ensuring enhanced control and protection for organizations operating within highly regulated environments.
The application offers a range of configurable security controls designed to address evolving cybersecurity threats and help organizations comply with stringent regulatory requirements. Regular review and adjustment of these settings are essential for maintaining robust defense-in-depth and minimizing vulnerabilities associated with user authentication.
To customize password and account security parameters, navigate to:
Path: Administration > System Configuration > Application Settings > Password Settings
Within this section, administrators will find a comprehensive suite of settings that govern password complexity, account access policies, and session security—each aligned with industry best practices for information security. These features are purpose-built to empower organizations with proactive risk mitigation capabilities while supporting operational and regulatory objectives.
- Minimum Password Length: Specifies the shortest acceptable password for user accounts. Establishing an appropriate minimum length helps defend against brute force and dictionary attacks, strengthening overall system security. Modifying this setting applies to all future password changes, but does not immediately require current users with shorter passwords to update until their next password reset.
- Failed Login Attempts: Defines the maximum number of consecutive unsuccessful login attempts permitted before the system proactively locks the user’s account. This function is critical for mitigating the risk of unauthorized access through repeated guessing of credentials. Administrators can configure this threshold to match organizational risk tolerance and compliance policies.
- Failed Login Attempt Lockout Period (in minutes): Determines the length of time, in minutes, that an account remains inaccessible after exceeding the permitted number of failed login attempts. During this lockout period, users cannot attempt additional logins. Setting an appropriate duration reduces the potential impact of automated attack tools while minimizing disruption for legitimate users.
- Inactive Account Lockout (in days): Automatically disables user accounts after a defined period of inactivity based upon the users last login date. This function protects the system from dormant accounts that may otherwise present a security risk. Regularly reviewing and setting appropriate inactivity thresholds is essential for ongoing compliance and maintaining least-privilege access principles.
- Password Rotation (in days): Indicates the maximum number of days a password can be used before users are prompted to create a new one. Routine password changes reduce the chances of compromised credentials being exploited for extended periods, supporting both internal policy and industry best practices for credential hygiene.
- Password Rotation History: Determines how many previous passwords are stored and checked to prevent users from reusing them. This setting enforces greater password uniqueness, making it more difficult for malicious actors to leverage known authentication details. Organizations should select a history length that balances usability and security requirements.
-
Password Guidance: This setting enables administrators to clearly communicate the organization’s password policy and expectations to users. By providing an overview of password requirements—such as minimum and maximum length, complexity rules (for example, inclusion of uppercase and lowercase letters, numbers, and symbols), restrictions on common or previously-used passwords, and recommended best practices—users are better equipped to create strong, secure credentials that align with compliance standards. Effective password guidance improves user awareness, reduces the risk of predictable passwords, and supports the adoption of secure authentication behaviors across the organization. Administrators should regularly update this guidance to reflect current security threats and evolving regulatory or policy requirements.
Path: Administration > System Configuration > Application Settings > Portal Timeout Settings
-
Disabled Accounts Reenabling Timeout (Hours): This setting controls the specific period, in hours, that a previously disabled user account remains active after being reenabled by an administrator. If the user does not successfully log in and utilize the account within this designated window, the system will automatically revert the account to a disabled state until further action is taken. This proactive measure helps prevent unnecessary exposure from dormant or forgotten accounts, reduces the risk of unauthorized access, and supports organizations in maintaining adherence to access governance protocols. Administrators can leverage this setting to ensure that account reactivation is intentional and user-driven, further reinforcing authentication controls and minimizing the potential for exploitable access points.