- Security Settings
- Security Audit Log
- Min. length of 8 characters
- Passwords should contain at least one lowercase character like 'a'
- Passwords should contain at least one uppercase character like 'A'
- Passwords should contain at least one special character. Choose between ! $ ( ) _ [ ] * - @
- Passwords should contain at least one number like '0', '1', ... '9'
Realistic password strength
While a password may meet all the new password requirements above, we will still flag a password as insecure if it contains your name or other personal data like your e-mail address and company information. That is why we'll also calculate a realistic password strength. Account administrators can view the realistic password strength of the users of their account by going to the user overview page, and thus encourage their users to choose better passwords. You can read a great article about how realistic password strength is determined here.
Certain suspicious events (like a user entering a wrong password too many times) can cause a user to become locked in a certain account. When this happens the account administrators are informed about this so they can take the appropriate actions. Locked users (if any) will be listed in a separate table on the user overview page, from where users with an administrator role will be able to unlock them.
In Account Settings, you will find the menu for your account's security settings with 3 security related preferences. For each of these settings, we've defined 3 possible values, from looser to very strict. These options help the account Administrator choose the strategy that best suits your companies security requirements.
- Every month
- Every week
Don’t allow users to reuse an old password
When users in your account change their password, they cannot use a password that they've used before.
- For 1 year
- For 2 years
- For 3 years
Lock a user after x failed log in attempts
When users enter a wrong password a couple of times, we will block this user from accessing the data in your account (to prevent people from guessing your user's passwords). Once a user is locked, only account administrators can unlock the users in your account, from the user overview page as explained above.
- Lock the user after 3 failed log-in attempts
- Lock the user after 5 failed log-in attempts
- Lock the user after 10 failed log-in attempts
You can choose to enforce users of your account to set a very strong password when setting up a new password or changing their current one. This password policy prevents users to use a password that contains their name, email, account name, "CX Social" or other commonly used passwords.
NOTE: If a user is member of multiple accounts we'll take the most strictly expiry time and the maximum of the old passwords reuse times.
To learn more about Locations, Devices and Sessions you can read the dedicated Two Factor Authentication support article.
Allowed IP Addresses
Here you are able to enter a list of IP addresses that can have access to this account via the CX Social Web Application.
All security related events are logged in a Security Audit Log. This is a filterable list of the different security events. This log is similar to the account history page in functionality, but only contains security related events.
Some of the events you will see here include:
A user asked for a password reset.
A user changed his/her password. If a user changes his/her password we'll log this. Also, in the Security Audit log you will be able to see how strong his/her new password is. We'll also notify the user by e-mail that his/her password has changed.
A user logged in successfully.
A user failed to login. If a user failed to login due to wrong credentials this event will be triggered. We'll also increment the failed login attempts for that user. When the threshold for failed login attempts is reached, that user will be locked. This threshold is configurable, see above.
A user is locked. A user can be logged because he tried to log in with a wrong password too many times or every Admin has the ability to lock users himself/herself. When this happens, it will show up on the Audit Log. Only the account administrator(s) can (un)lock users. When an Administrator is locked, he/she needs to contact the CX Social support staff to unlock his/her account.
A user is unlocked. If a user is unlocked we will log this. The user who unlocked the user will be saved and viewable in the Audit Log as well.
A user changed the security settings. Admins of the account are able to change the Security Settings for the entire account. They can decide on timeframe to change passwords, the reuse of old passwords and the number of times a user can try his password for logging in.
The security log also contains the IP-address and the type of device you're using (web/mobile).
IMPORTANT: We will never save your password in plain text and we will never ask you to provide your password in person/over e-mail. The passwords you use will be hashed with a slow hashing algorithm.