Password Policy Overview

Password authentication allows users to sign in to a Laserfiche repository with a user name and password. You can configure password policies in Laserfiche to strengthen account security and meet your organization’s requirements.

Important: The password policy options detailed on this page only apply to legacy Repository Users. We recommend configuring users through Laserfiche Directory Server. See the password settings configured through Laserfiche Directory Server.

Set a user password

Security Needed: Manage Trustees privilege.

Administrators can change any user’s password to address the following situations:

  • The user has forgotten their password.
  • The user’s password has been compromised and must be changed immediately.

If a user forgets their password, they cannot sign in or reset it because verification requires their current password.

If a password has been compromised, an administrator can reset it immediately rather than waiting for the user to do so. After resetting the password, they can notify the user of the new one and optionally require them to change it the next time they sign in to the repository. For more information, see Require a one-time password change.  

Note: A user can also change their own password, unless the password policy has specifically been set up to prevent them from doing so.

  1. In Laserfiche Administration Console, expand the desired Laserfiche Server from the console tree.
  2. Select the desired Laserfiche repository.
  3. If security has been enabled on the selected repository, sign in.
  4. Expand the Users and Groups .
  5. Select Users.
  6. Select the user you want to modify.
  7. From the Action menu, click Properties. The User Properties dialog box will appear.
  8. In the General tab, make sure that the Allow users to log in with password check box is selected.
  9. In the Password option, type the password that will be assigned to that user, or press the Generate Password button to generate a new, random password.
  10. In the Verify Password option, verify the password that will be assigned to that user by typing it again.
  11. Click OK to save your changes.

Prevent users from changing their password

Security Needed: Manage Trustees privilege. A user with the Manage Trusteesprivilege can set any user's password, including their own, regardless of whether that user has a permanent password.

You can prevent users from changing their own passwords. For instance, you may use randomly generated passwords to decrease the chances of the password being guessed, and therefore you want to prevent users from changing them.

  1. In Laserfiche Administration Console, expand the desired Laserfiche Server from the console tree.
  2. Select the desired Laserfiche repository.
  3. If security has been enabled on the selected repository, sign in.
  4. Expand the Users and Groups .
  5. Select Users.
  6. Select the user you want to modify.
  7. From the Action menu, click Properties. The User Properties dialog box will appear.

  8. In the General tab:
    • To prevent a user from changing his or her own password, select the User cannot change password check box. (Note that you cannot select this option in conjunction with the User must change password at next login option.)
    • To allow a user to change his or her own password, clear the User cannot change password check box.
  9. Click OK to save your changes.

Prevent users from reusing previous passwords

Security Needed: Manage Repository Configuration privilege.

Users often reuse old passwords when required to change them, which can reduce security. This behavior can compromise that user's password and therefore the security of your repository. To avoid this situation, Laserfiche can track previously used passwords to prevent users from reusing them. The amount of time that Laserfiche will store old passwords is administrator-defined.

Tip: To make sure a user never recycles an old password, set the time period to a very high number. For example, setting the time period to 18,250 days would prevent a user from using the same password within a 50 year period.

  1. In Laserfiche Administration Console, expand the desired Laserfiche Server from the console tree.
  2. Select the desired Laserfiche repository.
  3. If security has been enabled on the selected repository, sign in.
  4. Expand Repository Options.
  5. Select Password Policy.
  6. From the Action menu, click Properties. The Password Policy Properties dialog box will appear.
  7. In the General tab, select Enforce password history.
  8. In the Number of days before old passwords can be re-used option, set the minimum number of days that must pass before a user can use an old password.
  9. Save your changes.

Require a one-time password change

Security Needed: Manage Trustees privilege.

This option requires a user to change their password the next time they sign in.

  1. In Laserfiche Administration Console, expand the desired Laserfiche Server from the console tree.
  2. Select the desired Laserfiche repository.
  3. If security has been enabled on the selected repository, sign in.
  4. Expand the Users and Groups .
  5. Select Users.
  6. Select the user you want to modify.
  7. From the Action menu, click Properties. The User Properties dialog box will appear.
  8. On the General tab, select the User must change password at next login check box. Once you have selected this option, you can also optionally set an expiration on the temporary password. To set a time limit, select Temporary password changes after and enter the number of hours. After this time passes, the user’s password expires and must be reset by an administrator.
  9. Click OK to save your changes.

Require periodic password changes

Security Needed: Manage Repository Configuration privilege.

You can enforce a policy that requires users to change their passwords after a set period. The system can automatically notify users before their passwords expire, giving them time to choose a new one. If a user attempts to sign in with an expired password, they’ll receive a prompt to create a new one and won’t be able to access the repository until they do. Users cannot reuse their previous password.

Note: A user who has had the Ignore maximum password age option set on their user account will not be forced to change their password on this schedule. ClosedSee how to set Ignore maximum password age.

  1. In Laserfiche Administration Console, expand the desired Laserfiche Server from the console tree.
  2. Select the desired Laserfiche repository.
  3. If security has been enabled on the selected repository, sign in.
  4. Expand the Users and Groups .
  5. Select Users.
  6. Select the user you want to modify.
  7. From the Action menu, click Properties. The User Properties dialog box will appear.
  8. On the General tab, select Ignore maximum password age.
  9. Click OK to save your changes.
  1. In Laserfiche Administration Console, expand the desired Laserfiche Server from the console tree.
  2. Select the desired Laserfiche repository.
  3. If security has been enabled on the selected repository, sign in.
  4. Expand Repository Options.
  5. Select Password Policy.
  6. From the Action menu, click Properties. The Password Policy Properties dialog box will appear.
  7. In the General tab, select the Require users to change passwords on a periodic basis.
  8. In the Number of days before password expires option, set the maximum number of days that can pass before a user is required to change his or her password.
  9. To warn users before their password expires, select the Warn account before expiration check box. In the Number of days before expiration that users should receive a password change warning option, specify when a user will receive the warning.
  10. Click OK to save your changes.

Require users to create more secure passwords

Security Needed: Manage Repository Configuration privilege.

By default, a user can specify any type of password. This means that a user's password can be very insecure (e.g., no password) or extremely secure. Weak passwords compromise the security of all content those users can access. To ensure security, you can require that users create passwords that meet a minimum level of complexity. When determining how complex passwords must be, you can use a predefined complexity level or you can tailor the settings to meet your organization's needs.

  1. In Laserfiche Administration Console, expand the desired Laserfiche Server from the console tree.
  2. Select the desired Laserfiche repository.
  3. If security has been enabled on the selected repository, sign in.
  4. Expand Repository Options.
  5. Select Password Policy.
  6. From the Action menu, click Properties. The Password Policy Properties dialog box will appear.
  7. In the Complexity tab, do one of the following:
    • To enforce no password complexity, set the Current level of security option to "None."
    • Set the password complexity to a predefined level. Choose either "Moderate" or "High" from the Current level of security option.

      • Moderate security level

      • Must not include the user's account name
      • Must contain at least 10 characters
      • Contain characters from each of the three of the following character sets:
        • English uppercase letters (i.e., A - Z)
        • English lowercase letters (i.e., a - z)
        • Numbers (i.e., 0 - 9)
        • Non-alphanumeric characters (e.g., !, @, $, etc.)

      High security level

      • Must not include the user's account name
      • Must contain at least 16 characters
      • Contain characters from each of the four character sets:
        • English uppercase letters (i.e., A - Z)
        • English lowercase letters (i.e., a - z)
        • Numbers (i.e., 0 - 9)
        • Non-alphanumeric characters (e.g., !, @, $, etc.)
    • To customize password complexity settings, click Custom. Do the following:
      • From the Minimum number of character sets option, select the minimum number of character sets that must be used in a new password.

        Note:You can require multiple character sets, but not specify which ones.

        • A password uses a character set when it includes at least one character from that set. For example, the password “My1stPassword!” contains characters from all four sets. Using multiple character types strengthens passwords and makes them more difficult to guess. The available character sets are listed below.

        • English uppercase letters (i.e., A - Z)
        • English lowercase letters (i.e., a - z)
        • Numbers (i.e., 0 - 9)
        • Non-alphanumeric characters (e.g., !, @, $, etc.)

      • To make sure that users only set passwords that meet or exceed a particular length, select the Set a minimum password length check box. In the Minimum password length option, select the minimum number of characters that a password must contain.

        • Tip: Short passwords are easier to guess, but overly long ones can be difficult for users to remember. This may lead users to write down their passwords, increasing the risk of exposure. To strike a balance between security and usability, choose a password length that offers strong protection without being overly burdensome. Encourage users to use passphrases (combinations of multiple words) which are both more secure and easier to remember.

      • To prevent users from using their name as a part of the password, select Reject passwords containing the user name.

        Note: User names that contain fewer than three characters are not affected by this option.

  8. Click OK to save your changes.

Set an account lockout threshold

Security Needed: Manage Repository Configuration privilege.

When faced with a password-protected account, malicious users may try thousands of passwords in an attempt to guess the right password. To counteract this type of attack, you can configure Laserfiche to keep track of the number of consecutive failed sign-in attempts and automatically disable that user account when the failed attempts reaches an administrator-defined limit. An account that has been automatically disabled can be re-enabled by a Laserfiche administrator with the Manage Trustees privilege.

Important: This feature will not disable users that have the Manage Trusteesprivilege.

  1. In Laserfiche Administration Console, expand the desired Laserfiche Server from the console tree.
  2. Select the desired Laserfiche repository.
  3. If security has been enabled on the selected repository, sign in.
  4. Expand Repository Options.
  5. Select Settings.
  6. From the Action menu, click Properties. The Settings dialog box will appear.
  7. Select the Account Lockout tab.
  8. Select the Account will lock after a number of failed logon attempts check box. In the Number of tries allowed before account locks option, set the maximum number of failed attempts that can occur before the account will be automatically disabled.
  9. Optionally, you can also lock accounts if they have not been used for a specified period of time. Select Account will lock after being inactive. In the Length of inactivity in days before account locks option, specify the number of days that an account can go unused before it is locked.
  10. Click OK to save your changes.