Advanced password management

Updated by Victor Jespersen

The advanced password management introduces a new way of securing the user passwords in Quinyx.

This module requires different infrastructure, and therefore, it must be activated with planning and rollout in mind.

The main concepts in this module are based on OWASP recommendations , and Quinyx has the ambition to be compliant with level 2 of the OWASP Application Security Verification Standard.

Password Entropy or how easy it is to crack the password

To help users create secure passwords, we have introduced Entropy validations in password creation and password reset dialogues. The user will get feedback on the entropy level of their password suggestion and also tips on how they can reach a higher level. The dialogues will not allow saving a password that does not comply with the set entropy level for the user type.

Settings

Entropy

Password entropy is a measurement of how unpredictable, and therefore unguessable, a password is.

In Account settings, you will have two values to set. One for staff passwords and one for Administrators.

Staff is referring to employees with only employee access rights or early access rights

72 bits is the lowest recommended level of Entropy for Staff passwords. The user will be urged to add a variation of characters and digits, but the longer the password the harder to guess.

Password renewal

Advanced password management supports renewal frequency, but in line with OWASP recommendations, this should be avoided or set to a frequency that does not trigger bad habits of repeating patterns. 

Password validation

When the password is set, it is also automatically checked against the Have I been Pwned database. No personal data is shared with the service, including the suggested password that is validated.

Configuration

Advanced password configuration will, when activated, replace the old Password management in Quinyx.

It is not possible to revert to the old setup once activated.

To set the functionality up, follow the steps below:

  1. Navigate to Account settings > Authentication settings > Settings > Enable advanced password.
  2. Select the checkbox next to Advanced password management.
  3. Enter the desired minimum entropy value for staff and admin passwords.
Staff is any employee with only an employee role in the current tenant. An administrator is any user with access above the employee role in any part of the current tenant.
  1. Enter the renewal frequency if your security policy requires this. We and OWASP recommend leaving it out.

Setting a password

As a user

  1. Go to web.quinyx.com and enter your userid (Email).
  2. Select the forgot password link.
  3. Enter your email address for the user.
  4. Select the Send button.
  5. Click on the link within the email sent to you.
  6. Follow the instructions in the dialogue.
    1. The interface will provide feedback on the strength of the password. Use a combination of characters in small and large caps as well as digits and special characters. Longer passwords are stronger. If the password is not strong enough, the update button will be inactive, and you can't save your password.
  7. Click Update password to save your new password.
  8. Log in with your new password.

As a manager

  1. Log in to Quinyx and navigate to the People tab.
  2. Look up the employee to give a new password and select the employee.
  3. Select the Set one time password button.
  4. Type the new password and select the Confirm button.
  5. Give the one time password to the employee. The employee will be prompted to change the password once logging in with the one time password.

How Did We Do?