--- title: "Modifying your security settings" date: "2024-02-14T06:18:38+00:00" summary: "Enhance your Site Factory security with customizable settings for password strength, two-factor authentication, session limits, and account management. Protect your websites and user data effectively." image: type: "page" url: "/site-factory/modifying-your-security-settings" id: "9a5260e5-a737-48e9-a35b-abc77929dea7" --- You can protect the Site Factory Management Console or any websites that use OpenID accounts by configuring the following security settings: * [Session concurrency limit](#acsf-session-concurrency-limit) * [Minimum password strength](#acsf-minimum-password-strength) * [Two-factor authentication](#acsf-tfa) * [Controlling when idle users are signed out](#acsf-idle-timeout) * [Disabling inactive accounts](#acsf-disable-inactive) * [Resetting user API keys](#acsf-reset-api-keys) Session concurrency limit ------------------------- Site Factory subscribers provisioned after the release of Site Factory [2.78](/site-factory/release-notes/2018) are limited to two concurrent sessions per user. If a user is signed in to two concurrent sessions and signs in to a third concurrent session without signing out from one of the two existing sessions, the session with the longest idle time will be signed out. If Acquia provisioned your Factory before the release of Site Factory 2.78, [contact Acquia Support](/service-offerings/support#contact-acquia-support) to request this feature be enabled on your account. Minimum password strength ------------------------- Subscribers with specific password strength compliance requirements are required to adhere to the [password requirements](/acquia-cloud-platform/access/password-strength#passwords-on-acquia-cloud) for Cloud Platform, and don’t have access to this feature. You can specify a security policy for passwords to access the [Site Factory Management Console](/site-factory/manage) or any of your websites that use [OpenID accounts](/site-factory/manage/sso). The password security policy determines how _strong_ (or resistant to guessing) user passwords must be for Site Factory to accept them. Note Regardless of your password security policy settings, Site Factory requires a minimum password length of seven (7) characters for [Site Factory Management Console](/site-factory/manage) and [OpenID accounts](../sso.html). Determining a password’s strength --------------------------------- Password strength policies enforce rules about passwords to prevent them from being easily compromised or guessed by another person. At their most basic level, these policies can only require passwords to include at least one number, an uppercase letter, and a lowercase letter. This policy doesn’t actually result in hard-to-guess passwords; for example, the password `Passw0rd` satisfies the rule, but isn’t a strong password. Instead of a basic approach, the Site Factory password strength system applies a combination of rules to rank how difficult the password is to guess. For example, the following examples decrease an entered password’s strength ranking: * Words found in a dictionary of common words, common first and last names, or common passwords * Words found in the dictionary, but with common _1337_ (or _leet_) substitutions, such as `4` or `@` for `a`, and `5` for `s`. These substitutions are treated as only slightly stronger than the words themselves * Common sequences of letters or numbers (`abcde` or `12345`) * Characters in a keyboard pattern (`qwerty` or `zaq1`) * Three or more repeated characters (`1111`) * Dates or years (`1921` or `19-11-1978`) The password strength policy prohibits users from using their Acquia accounts’ email address as a password. The password strength levels assigned to passwords are based on the following: * The amount of entropy (randomness) in each password. * An estimate of the amount of time needed to determine (or _crack_) each password using a brute force attack (based on current estimations). The estimated time-to-crack at each level is about two orders of magnitude greater than the next lower level, so a **Weak** password can take minutes to crack, while a **Very Strong** password can take years. ### Password examples * **Weak passwords** For example, these passwords are weak: * `mystrongpassword`: Dictionary words * `el1z@b3th`: Common name, with _leet_ substitutions * `11121957`: Date * `9876598765`: Keyboard sequences * **Strong passwords** A password can rank as extremely strong even if it consists of only elements like those described here, as long as it has enough distinct elements and is long enough. For example, these passwords are strong: * `correctdonkeybatterystaple`: Long password (even though it has four dictionary words) * `Actions>words`: Long password * `9a8b7c6d5e`: Long password without keyboard patterns Resources for creating strong passwords --------------------------------------- For inspiration, see this [XKCD comic](http://xkcd.com/936/). For a method for creating strong passwords consisting of randomly chosen short words, see the [Diceware Passphrase Home Page](http://world.std.com/~reinhold/diceware.html), or password managers such as [LastPass](https://www.lastpass.com/), [1Password](https://1password.com/) or [KeePassX](https://www.keepassx.org/). Setting the password strength policy ------------------------------------ To enable or change the password strength policy for the [Site Factory Management Console](/site-factory/manage) and for your websites that use [OpenID accounts](/site-factory/manage/sso), complete the following steps: 1. [Sign in](/site-factory/login) to your _Prod_ environment’s [Site Factory Management Console](/site-factory/manage) using an account with the [platform admin](/site-factory/manage/users/admin/platform-admin) role. 2. In the admin menu, click **Administration**, and then click the **Security settings** link. 3. In the **Minimum required password strength** section, select the minimum required strength from the following values: * **disabled**: Passwords can have any password strength ranking (but must still be seven characters or longer) * **weak**: Passwords must have a password strength ranking of _weak_ or greater * **good**: Passwords must have a password strength ranking of _good_ or greater * **strong**: Passwords must have a password strength ranking of _strong_ or greater * **very strong**: Passwords must have a password strength ranking of _very strong_ or greater 4. Click **Save configuration**. Stage environment password strength policies -------------------------------------------- You can also directly change the password strength policy for your _Stage_ environment. Although you can use the previous password strength policy procedure to change your Stage environment’s policy, each time you [stage websites](/site-factory/workflow/staging) from your Prod environment to your Stage environment, your Factory settings are also copied with your websites. This staging includes your Prod environment’s password strength policy settings, overwriting your Stage environment’s policies. Transitioning to stricter password policies ------------------------------------------- After you enable a password strength policy, [Site Factory Management Console](/site-factory/manage) account and [OpenID user](../sso.html) passwords are tested for their strength during sign-in. If a password fails to meet the policy, the user isn’t permitted access, and is then prompted to change the password to one satisfying the policy’s strength requirement. As a user types a new password, Site Factory tests and reports the password’s strength. When users create passwords not satisfying the password strength policy, Site Factory displays an error message describing the reasons the password can’t be accepted. For example: The following issues were detected with your password: * Contains dictionary words (e.g. "password") When changing your password, Site Factory provides information about acceptable password requirements following the **Confirm password** field. ![Displaying password strength estimation](https://acquia.widen.net/content/fwk4ggzr2i/jpeg/site-factory_password-strength.jpeg?position=c&color=ffffffff&quality=80&u=u1mnox) Two-factor authentication ------------------------- You can enable two-factor authentication (also known as _two-step verification_) to control access to your subscription through the [Site Factory Management Console](/site-factory/manage). Two-factor authentication is more secure than password authentication alone. With two-factor authentication enabled, a user signing in to the Site Factory Management Console or a website using [OpenID accounts](/site-factory/manage/sso) must supply an user email address, a password, and also a code sent to a trusted device. Note This page describes how to require two-factor authentication for all user accounts. For information about how to sign in with two-factor authentication, see [Configuring two-factor authentication](/site-factory/manage/users/tfa). To change your Factory two-factor authentication settings: 1. [Sign in](/site-factory/login) to your _Prod_ environment’s [Site Factory Management Console](/site-factory/manage) using an account with the [platform admin](/site-factory/manage/users/admin/platform-admin) role. 2. In the admin menu, click **Administration**, and then click the **Security settings** link. 3. In the **Two-step verification** section, select either **Required** or **Not required** to indicate whether Factory accounts and website accounts using OpenId must use two-factor authentication or not, respectively. 4. Click **Save configuration**. Controlling when idle users are signed out ------------------------------------------ To better secure your hosted websites, you can configure Site Factory to sign users out of websites after a configurable period of inactivity. This configuration helps to protect accounts from unauthorized use if a user leaves a browser window open and unattended. Note Site Factory subscriptions provisioned after the release of [Site Factory 2.81](/site-factory/release-notes) on October 10, 2018 are configured by default to sign out inactive user accounts after 15 minutes (900 seconds). To change how Site Factory handles inactive users, complete the following steps: 1. [Sign in](/site-factory/login) to your _Prod_ environment’s [Site Factory Management Console](/site-factory/manage) using an account with the [platform admin](/site-factory/manage/users/admin/platform-admin) role. 2. In the admin menu, click **Administration**, and then click the **Security settings** link. 3. In the **Automatic logout settings** section, select the **Sign out inactive user accounts** checkbox to sign out inactive users, or clear the checkbox to allow inactive users to remain signed in to your websites indefinitely. 4. If the **Sign out inactive user accounts** checkbox is enabled, in the **Time in seconds** field, enter the number of seconds a user may be inactive before being signed out. For example, entering `900` in the field will sign out users after 15 minutes of inactivity. 5. Click **Save configuration**. Disabling inactive accounts --------------------------- To better secure your websites, you can block inactive accounts after a specified number of days of inactivity. Blocking inactive accounts helps protect accounts from unauthorized use if a malicious user discovers and accesses an abandoned account. To configure the disabling of inactive accounts: 1. [Sign in](/site-factory/login) to your _Prod_ environment’s [Site Factory Management Console](/site-factory/manage) using an account with the [platform admin](/site-factory/manage/users/admin/platform-admin) role. 2. In the admin menu, click **Administration**, and then click the **Security settings** link. 3. In the **Automatic disabling of inactive accounts** section, select the checkbox to disable accounts, and enter the number of days to preserve inactive accounts in the **Disable after** field. 4. Click **Save configuration**. Resetting user API keys ----------------------- Site Factory administrators can use the [Site Factory Management Console](/site-factory/manage) or the [Site Factory API](/site-factory/extend/api) to reset API keys of an individual user, or all users. Users can also reset their own API key. For more information, see [Resetting API keys on Site Factory](/site-factory/extend/api/resetkeys).