Password Rules
As with Usernames, AESDirect Password Rules are strictly enforced, in this case, to maximize security. Common words and phrases are not acceptable.
Complex - All passwords must be at least 12 characters long and contain characters from 3 of the following 4 groups:
- Lowercase letters
- Uppercase letters
- Numbers
- Non-alphanumeric characters (¡ # $ %);
At least 6 of those characters may occur only once in the password
Unique - Passwords cannot contain any familiar words or sequential character strings. They must also vary significantly each time they are reset.
- Passwords cannot contain any string that is also contained in the username
- Passwords cannot contain any dictionary words
- Passwords cannot contain any common strings such as
- A sequential series of letters (e.g. abcd)
- A sequential series of numbers (e.g. 1234) or pattern of numbers (e.g. 2468)
- Password must be unique for 2 years
- Passwords must be unique within the last 12 passwords
Temporal - Passwords on standard User accounts will expire every 60 days. Each new Password must meet the above parameters. You will be notified each time you login of the number of days remaining until your password expires.
Session Rules
Every time you log in to AESDirect, a timer is activated. This timer serves both as a session regulator and an activity counter. To improve security, User Accounts may only be inactive for a finite amount of time, whether for an individual session, or the accounts lifespan.
Account Inactivity
- Users will be deactivated if they have not logged in for 90 days
- E-mail warnings will be delivered to the User once a day after 85 days of inactivity. The E-Mail will remind of the need to change their password and direct them to the appropriate resources.
- Once deactivated, the Account Administrator or User Manager will need to reactivate the User
Session Timeout
- All AESDirect User sessions will time-out after 15 minutes of inactivity.
A pop-up will notify a User 5 minutes before time-out.
- Actions, such as opening a window or moving from one page to another, will reset the 15 minute timer
- Once inactive for more than 15 minutes, the User will be forced to log in again. All data will be lost
Concurrent Sessions
- Each Username can be used for up to 5 simultaneous sessions. That is, a user can login to 5 different computers, or 5 different types of web browsers on one machine, at the same time.
- The 6th session attempt will fail. The attempt will be logged.
Lockout
- Users are permitted 5 attempts to login to their account
- After 5 consecutive, invalid login attempts within 15 minutes the user will be locked out
- Locked out User must be reactivated by the Account Administrator, only 15 minutes after the final failed login attempt