Password policy and user access

Learn about MRI OnLocation's password and user access policies, including recommended password standards, and options for enforcing password resets.

OnLocation’s user administration and user access policies provide support for the requirements and the compliance needs of publicly-traded companies by ensuring robust password authentication and controlled system access to your OnLocation account.

Organizations that must comply with OWASP, HIPAA, or the Sarbanes-Oxley Act (SOX) need a password authentication and user access management solution that provides the following capabilities:

  • Ensures user access to only those systems and applications required for their jobs;
  • Enforces strong password policies, especially for users who have access to sensitive or protected records;
  • Ensures enterprise access privileges are removed when an employee leaves the organization;
  • Eliminates Users’ need to share authentication information with the Help Desk or IT staff for password reset or system access;
  • Automates password reset processes to eliminate human error; and
  • Ensures complete, accurate audit trails for all changes in access rights.

Password standards

Best practice and security auditors recommend that to meet the minimum for compliance, with standards like OWASP, HIPAA, and the Sarbanes-Oxley Act passwords should:

  • Be a minimum of six, preferably eight, characters in length
  • Be a combination of uppercase and lowercase letters
  • Mixed with numbers and symbols (!, @, #, $, for example)
  • Not contain personal information, such as the names of spouses or family members (including pets), or any information that an attacker could easily derive from a user

Passwords should be changed every 45 to 90 days and should be different every time.

The purpose of making passwords more complex and indecipherable is to prevent so-called dictionary attacks, where hackers run password hash files that look for common words in dictionaries used as passwords.

OnLocation recommends strong password use. We offer three levels of password security:

  • Simple: minimum of 6 characters
  • Standard: (the default) minimum of 6 characters; a combination of uppercase and lower case letters
  • Complex: (recommended) minimum of 8 characters, a combination of uppercase and lower case letters; mixed with at least one number and one symbol (!, @, #, $, for example)

Password reset options

OnLocation recommends that passwords be changed every 45 days however we recognize that password policies vary from customer to customer. We offer these options for forcing a password reset:

  • Do not force change: (the default) users are not forced to reset their passwords;
  • After 30 Days: Users must change their password every 30 days
  • After 45 Days: Users must change their password every 45 days
  • After 90 Days: Users must change their password every 90 days
  • After 180 Days: Users must change their password every 180 days
  • After 365 Days: Users must change their password every 365 days

Exceptions

Password strength and reset settings will not apply where the customer account maintains user access via single sign-on with JSON Web Token (JWT) or single sign-on with SAML.

Password login attempt limitation

To protect all accounts and users, OnLocation:

  • Does not allow internet browsers to remember user passwords and credentials
  • Limits login attempts to three then blocks access for five minutes from the user's IP address

Learn more

To find out how to set employee access or reset a password, check these Help Center articles: