At Leading2Lean, we want to ensure your experience in the system is both easy and secure. To ensure your system is set up to your site and company’s specific security and accessibility requirements, there are several password and login settings that the Leading2Lean support team can modify at your business’s request for your site and server.
The authentication mechanisms are all based on standard libraries using industry-standard methods to store passwords salted and hashed, so no passwords are stored in cleartext. Logging in to the system is encrypted using SSL/TLS1.2. All data is encrypted both in transit and at rest.
System properties affect all sites on a particular server.
- Disable Login after X Failed Attempts: this setting is entered as a number. It is used to limit the number of login attempts made for a user account
- Disable Login for X minutes after Failed Attempts Limit: this setting is entered as a number; it specifies in minutes how long a user account will be disabled when the number of login attempts from that account reaches the value entered for “Disable Login after X Failed Attempts”
- Users can't use any of their last X recent passwords: this setting is entered as a number; it is used to prevent recycling of passwords tied to user accounts by disallowing the use of any of an account’s X most recent passwords
- Don't allow common passwords to be used: this setting is entered as a 0 or 1, where 1 signifies “enabled”; when enabled, this setting prevents accounts from setting their passwords to commonly-used password phrases such as 123456, password, 111111111, etc.
- Passwords must meet at least X of the supported complexity classes (uppercase, lowercase, numeric, non-alphanumeric): this setting is entered as a number between 1 and 4; it is used to specify how complex user account passwords are required to be by specifying how many of the four conditions (use of capital letter, use of lowercase letter, use of number, and use of special character) a password must meet
- Case Insensitive logins for usernames: this setting is entered as a 0 or 1, where 1 signifies “enabled”; when enabled, this setting does not distinguish between capital and lowercase letters when verifying correctness of a username
- Disable Password Reset Functionality: this setting is entered as a 0 or 1, where 1 signifies “disabled”; when enabled, this setting allows a “Reset My Password” link to appear on the Leading2Lean login page for a customer site so that users can independently reset their passwords in the system via the username and email address tied to their user account
- Enable SSOConfig Mode Functionality: this setting is entered as a 0 or 1, where 1 signifies “enabled”; when enabled, this setting allows access to the SSO functionality configuration screen from the Setup page for users set up as IT Manager Administrators or Administrator-Administrators.
- Enable SAMLConfig Mode Functionality: this setting is entered as a 0 or 1, where 1 signifies “enabled”; this setting allows access to the SAML functionality configuration screen from the Setup page for users set up as IT Manager Administrators or Administrator-Administrators.
Site properties apply only to the specific site on the server for which they are established, so each site on the server can request that L2L Support customize the following properties to their site's needs:
- Minimum Password Length: this setting is entered as a number and defaults to a value of 4; it is used to specify the minimum number of characters required for any user account password for that site only.
- Require Password Change Every X Days: this setting is entered as number and defaults to a value of 0, which disables the change requirement; it is used to indicate the frequency at which a user password must be changed based on the number of days from the date an account’s current password was created.
Changing Property Values
To modify any of these settings for your site or server, please send submit a ticket to L2L support through the support site specifying which properties you would like modified to which values and for which sites, if appropriate. As soon as L2L enacts these changes for your site and/or server, the application of these new requirements is immediate. If user passwords are out of compliance with the newly updated properties, users who are logged into the system at the time of the update will be forced to update their password once they navigate to a point in the system where the equivalent of a digital signature is being captured (for example, clicking the "Dispatch Me" button). Users who were not logged in at the time of the change whose passwords are out of compliance will be prompted to change it upon login.