Strengthen Password Security for Mobility Services App

patrickm02L commented 1 week ago

Description

The current password configuration for the Mobility Services app does not enforce strong password policies, leaving the system vulnerable to security risks. To enhance the security of user accounts and safeguard sensitive data, we need to implement stronger password requirements and user lockout mechanisms.

Recommend maxing out following requirements:

Screenshot 2024-09-04 at 10 03 50 AM

susannegov commented 1 week ago

Turned on password settings:

Turned on "Expiration after 60 days"

"Your user account's password has expired and must be changed. To login, please reset your password."

Turned on "Can't use last three password settings"

"Your new password must not be the same as one of your three previous ones."

Expiration Settings

Lockout after...
- [x] 3 failed logins
- [ ] 5 failed logins
- [ ] 10 failed logins
after....
- [x] 1 minute time period
- [ ] 5 minute time period
- [ ] 15 minute time period
- [ ] 60 minute time period
for...
- [x] 5 minute lockout
- [ ] 15 minute lockout
- [ ] 60 minute lockout
- [ ] 1 day
- [ ] forever
  Lockout Email Options
  
  Currently turned off
[x] Allow user to request password reset to unlock account
[x] Send user an email when locked out

susannegov commented 1 week ago

@patrickm02L Could you review if these settings for expiration settings and lockout email options are correct?

patrickm02L commented 5 days ago

I think we should allow users to request a password reset and send them an email when logged out, no?

susannegov commented 5 days ago

@patrickm02L

I think we should allow users to request a password reset and send them an email when logged out, no?

Added password reset and send an email when locked out.

patrickm02L commented 5 days ago

Perf, good to close!

cityofaustin / atd-data-tech