Authentication policies

Account policies

An account policy defines the account-related policies such as password and account lockout policies. For information about creating account policies, see Setting up an account policy.

Account lockout policy

An account lockout policy disables a user account if malicious actions are launched against that account. Disabling the user account reduces the chances that the actions compromise the account. An account lockout policy enforces the following items:

• The account lockout threshold. This is the number of invalid logon attempts before the account is disabled. By setting this number too low, you risk locking out legitimate users that mistyped their password or have difficulty remembering their password, and potentially overwhelming your CSR team if an attacker is trying to lockout several account. By setting this number too high, you avoid the aforementioned risks, but it's more likely to make your site vulnerable to a brute force attack of guessing passwords. Choose a threshold that best suits your security requirements.
• Consecutive unsuccessful login delay. This value is the time period for which the user is not allowed to log in, after two failed attempts to log in. The delay increments by the configured time delay value (for example, 10 seconds) with every consecutive login failure.

For information about creating account lockout policies, see Setting up an account lockout policy.

Note: Account lockout does not work with LDAP enabled.

Password policy

A password policy defines characteristics with which user passwords must comply. A password policy enforces the following conditions:

• Whether the user ID and password can match.
• Maximum occurrence of consecutive characters.
• Maximum instances of any character.
• Maximum lifetime of the passwords.
• Minimum number of alphabetic characters.
• Minimum number of numeric characters.
• Minimum length of password.
• Number of previous passwords to check against when the user selects a new password.

For information about creating password policies, see Setting up a password policy.

WebSphere Commerce provides two default account policies: Administrators and Shoppers. For more information about these policies, see Default account policies.

Other authentication-related policies

The following describe the other authentication-related policies available with WebSphere Commerce:

Password invalidation

When enabled, password invalidation requires WebSphere Commerce users to change their password if the user's password expired. In that case, the user is redirected to a page where they are required to change their password. Users are not able to access any secure pages on the site until they change their password.

For information about enabling password invalidation, see Enabling password invalidation.

Password protected commands

When the password protected commands feature is enabled, WebSphere Commerce requires registered users who are logged on to WebSphere Commerce to enter their password. The registered users must enter their password before a request that runs designated WebSphere Commerce commands continues.

Caution When you configure the password protected commands, some of the commands that are shown in the command selection list can be executed by generic or guest users. Configuring such commands as password protected restricts generic and guest users from running them.

For information about enabling the password protected commands feature, see Enabling password protected commands.

Login timeout

With the login timeout policy, WebSphere Commerce logs off a user that is inactive for an extended period. Then, WebSphere Commerce requests that the user log back on to the system using the Login Timeout node. This enhancement is invoked through the Configuration Manager and is described in detail in Enabling login timeout.