Credential Management
Credential Registration
Introduction
KOBIL IAM provides various password policies that can be enabled through the Admin Console. By default, KOBIL IAM automatically applies the following policies to newly created realms if the prerequisites are met, add a Kobil_event to the master realm, for more detailed explanation refer to Events and ensure ENABLE_TENANT is set to TRUE in chart variable,
- Lowercase Characters: 1 (At least one lowercase character required)
- Digits: 1 (At least one numerical value required)
- Minimum Length: 8
- Uppercase Characters: 1 (At least one uppercase character required)
These policies ensure that users create passwords that meet certain security standards, making them more secure and suitable for production environments.
In general, more complex passwords are more secure. KOBIL IAM supports strong passwords with rules that require a mix of letters, numbers, uppercase, lowercase, and special characters. Your company's administrator sets these rules to make sure passwords are secure and to prevent security breaches.
How to configure
Step 1: Navigate to Authentication in the menu
Step 2: Select Policies tab
Step 3:Select Password Policy
Step 4: Click on Add Policy button
Password Policies
| Password Policies | Description |
|---|---|
| Expire Password | You can set the number of days a password remains valid. After this period, the user must change their password. |
| Hashing Iteration | Defines how many times the password is hashed before it is stored or verified. More iterations make it harder for attackers to crack passwords. By default, the system uses the 27,500 iterations |
| Not Recently Used | Ensures that users cannot reuse their previous passwords. This prevents users from alternating between a small set of passwords. |
| Password Blacklist | Prevents users from using passwords that are listed in a blacklist file. This helps avoid common and easily guessable passwords. |
| Minimum Length | Sets the shortest length allowed for passwords. This ensures that passwords are not too short, enhancing security. |
| Regular Expression | Requires passwords to match specific patterns defined by regular expressions. This allows for complex rules like requiring at least one symbol, number, and uppercase letter. |
| Not Username | Prevents the user from setting their password to be the same as their username. This avoids easily guessable passwords. |
| Not Email | Prevents the user from setting their password to be the same as their email address ensuring security. |
| Special Characters | Specifies how many special characters (like @, #, $, etc.) must be included in the password. Special characters make passwords harder to guess. |
| Uppercase Characters | Specifies how many uppercase letters (A-Z) must be included in the password. This helps in creating complex passwords. |
| Lowercase Characters | Specifies how many lowercase letters (a-z) must be included in the password. This ensures a mix of character types in the password. |
| Digits | Specifies how many numerical digits (0-9) must be included in the password. Including digits increases password complexity. |
| Hashing Algorithm | Indicates the standard hashing algorithm used to hash passwords before they are stored or validated. By default, the system uses the SHA-256 algorithm |
| Maximum Length | Sets the longest length allowed for passwords. This ensures passwords are not excessively long, which could complicate management. |
Credential Validation
BruteForce Detection
Brute force detection is a security feature that monitors and prevents unauthorized access by blocking multiple login attemptss. It enhances security by effectively handling repeated failed login attempts and reducing the risk of unauthorized access. It can be configured to temporarily lock accounts after a certain number of failed login attempts, reducing the risk of unauthorized access.
How to configure
Step 1: Navigate to Realm Settings in the menu
Step 2: Select Security defenses tab
Step 3:Select BruteForce detection
| parameters | Description |
|---|---|
| Max Login Failures | Set the maximum number of failed login attempts allowed before locking out the user. |
| Permanent Lockout | Enable Permanent Lockout to permanently lock the user out after reaching the maximum number of failed login attempts. |
| Wait Increment | Specify the Wait Increment to progressively increase the wait time after each failed login attempt. |
| Max Wait | Define the Max Wait as the maximum wait time applied after multiple failed login attempts. |
| Failure Reset Time | Set the Failure Reset Time to determine the period after which the count of failed login attempts resets to zero. |
| Quick Login Check Milliseconds | Configure the Quick Login Check Milliseconds to detect rapid, successive login attempts within a specified time window. |
| Minimum Quick Login Wait | Establish the Minimum Quick Login Wait as the shortest required wait time between rapid, successive login attempts detected by the Quick Login Check. |
1. Can my administrator see my credentials?
- The administrator cannot view your credentials because they are hashed.
2. Where and how are my username and password stored? Is my password secure?
- The system securely stores your username in the User Entity Table. Your password is hashed using the algorithm and iteration specified in the password policy. By default, the system uses the
SHA-256 algorithm with 27,500 iterations.
3. How can an Admin enable Forgot Password?
-
The admin must enable the Forgot Password feature to allow users to reset their login credentials if they forget their password.
-
Steps to enable forget password:
- Navigate to the Realm Settings in the menu.
- Click on the Login tab.
- Toggle the Forgot Password option to ON. This makes the
Forgot Password?link visible on the login page.Forgot Password?link allows users to enter their Username or Email and receive an email with a link to reset their credentials.- Note: This is the default behavior in KOBIL IAM and can be customized based on requirements. For example, you could send an email-based OTP or a phone-based OTP instead of a reset link.