Skip to main content

Using a Password, Password Policy, and Login Lock

A password is the simplest type of access protection.

Configuring a password, changing a password, using a password manager

The device users need the User name and Password configured in the Device User Management in order to log in to the controller. Device users who are logged in can change their password using the OnlineSecurityChange Password Device User command. Note: Currently, a user still requires read permission for device user management.

You can store the password for logging in a device user in the password manager. The _cds_icon_password_manager.png button is available in the Device User Logon dialog. To use the password manager, see: Password-Protecting the Project – Password Manager

Handling the password policy and login lock

By using a password policy and a login lock, you can make sure that the credentials for the controller are configured as securely as possible and that attackers cannot guess the credentials by trying it repeatedly.

Important

By default, a password policy is enabled and it is not recommended to disable it. The settings can be edited in the device editor as described below. The corresponding entry for enabling in the configuration file of the device is:

[CmpUserMgr] 
SECURITY.UserMgmt.PasswordPolicy=ENABLED
Procedure. Changing the password policy

  1. In the device tree, double-click the controller.

    The device editor opens. The Communication Settings tab is displayed.

  2. In the header, click the Scan Network button. In the Select Device dialog, select the desired device. Then click OK.

    The active path to the controller is set.

  3. In the Device menu, click the Change Runtime System Password Policy command. Note: The command menu is active only when you are not logged in.

  4. In the Change Runtime System Password Policy dialog, you can change the default settings for the login lock or disable the login lock (Login lock is active option). For more information, see: Dialog: Change Runtime Security Policy

    By default, a login lock is enabled for the Administrator user group because this user group needs to fulfill increased security criteria and should also be better protected. When the maximum number of login attempts has been exceeded, the user will be locked out for the configured amount of time (3600 seconds by default). To unlock a locked user, see the instructions below.

  5. Click OK to confirm the changes made.

    The configured login lock is immediately applied when logging in to the device user management for users of the user group selected in the Scope.

    When the number of login attempts specified in the Maximal Retries field is exceeded, the user will be locked out for the amount of time which is specified in the Lock duration field.

. Unlocking a locked user

After a user has been locked out for a specific period of time by the login lock, you can unlock them again using one of the following alternative options:

  • An administrator or a member of a user group with write permission for the user group of the locked user assigns a new password for the user.

  • Restart the runtime system.

: