Must be running VETtrak version 19.2.x. or later
The new password management functionality introduced in 19.2 is supported across the Portals. These are some of the related settings and features:
- Password expiration enabled
- Password warning enabled
- Missing email preventing account recovery
- Account recovery
- Change a password - logged in portal user
- Force password change - VETtrak admin initiated
- Set a new password - VETtrak admin initiated
- Failed login logging and brute force attack prevention
Password expiration enabled
In the VETtrak menu located under File - Security settings, you may set up a password policy that is global to all applications including the web portals. To enforce a password expiration scheme, open the Security Settings Wizard.
- Tick the box "Require password to be changed every" and choose the number of days between password expiration from the spin dial.
- Passwords will now expire every [x] days. Where x is the number choosen in the setting.
The following dialogue will now appear in the portal when a successful login is attempted after the expiry period:
Password Warning enabled
- If you would like the portal users to have a pop up warning of an upcoming expiry. Check the "Warn users of upcoming password expiry" and choose the number of days prior to the expiry for that prompt to appear.
- The portal user will now see the following pop up message on their portal on the lower right hand side of their browser window when that warning period is active.
- If the user wishes to change the password now they may click on the link within the message and they will be provided with the following change password dialogue.
Missing email preventing account recovery
If the portal user does not have an email on their client record. The following message will appear in the lower right hand of the portal within the browser.
Clicking the link will take the client to the personal details page of the student portal for them to add their email address. Note: there may be restrictions on entering email addresses for other portals.
Account recovery - resetting a password
A portal user will be able to reset their password if they have a unique email address on their client record. If the email is not unique the email will not send and will fail silently for security reasons.
- Use the Account recovery button on the portal login page:
- Select "I don't know my password" in order to enter the email address for password reset
- The following will appear after an email address has been entered and the "recover" button pressed.
- If the system sent an email then the email address will receive an email with a time sensitive link.
The link will allow the entry of a new password that meets the VETtrak password policy. Clicking the link will display the reset password dialogue as follows.
Account recovery - retrieving a username
A portal user will be able to recover their username if they have a unique email address on the VETtrak system. Access the Account Recovery option from the login page. Then choose the option for "I don't know my username".
- Enter the email address on the popup:
- If the details match and are unique then an email will be sent with the username in the body of the email. No active link is provided in the email. The user then can take that information back to the portal login screen.
Change a password - logged in portal user.
A portal user may change their password from within an active logged on portal session.
- From the portal account profile (the person icon) in the header of the portal:
- Choose Change password and the user will be prompted with the change password dialogue:
- Any password policies in force will need to be respected.
Account recovery - VETtrak admin initiated
A VETtrak desktop administrator will be able to initiate a portal reset from within the VETtrak software.
- Open up the Client Wizard and ensure the client has an email address, which is located on the first page:
- On the next page, select the tick box "Start web portal password reset process" and choose the portal from which the user may reset their password:
- Finish any other cleint edits as necessary and finish the client wizard. The software will then send a portal reset request to the relevant portal's api. The portal will then send on an email with a time sensitive reset token.
- The timeout period will come from the Security Settings - "VETtrak staff on behalf of users, after" and is a value specified in minutes. The link sent in the email will be ineffective after this period.
Force password change - VETtrak admin initiated
A VETtrak admin may force a client to change their password at their next logon. The various portals will prompt the user to change their password. No reliance on email is necessary for this change.
- In the VETtrak Client wizard - tick the box "User must change password at next login"
- The portal user will go to login as per normal with their pre-existing password:
- As soon as they login they will be prompted to change the password and the following dialogue will appear:
- Note: Any password policy settings will need to be respected by the user when changing the password. The old password will be the one they just used to get to this screen.
Set a new password - VETtrak admin initiated
The VETtrak admin may set a new password on the client wizard. This will be emailed or SMS'ed to the client. In assigning this password the client will be forced to change the password to one of their own choosing at next portal login as per the above process.
- Tick the box "Set a new password" on the client wizard:
Note: the tick box "User must change password at next logon" is also ticked and not available for editing. - The temporary password is autogenerated and will abide by the password policy in place. You may also override this password with one of your own choosing.
Failed login logging and brute force attack prevention
All portal login attempts both successful and failed are now logged on the system. A user can see when there last successful login occurred along with a count of failed attempts. A full history of login information is available on the account profile menu (top right via person icon).
The portal can be globally set to block multiple failed attempts from the same IP address and will also act as a brute force attack prevention mechanism.
- The settings are held in the Portal's web.config application settings file in the root of the web portal's files. The settings are:
- FailedLoginThreshold
The number of failed login attempts from the same IP address before blocking occurs.
<add key="FailedLoginThreshold" value="5" /> - FailedLoginThresholdInterval
The number of seconds interval in which the blocking will trigger if the fail count reaches FailedLoginThreshold.
<add key="FailedLoginThresholdInterval" value="60" /> - FailedLoginBlockDuration
The number of seconds that an IP address will be blocked for if it exceeds the failed login threshold.
<add key="FailedLoginBlockDuration" value="360" />