Password complexity rules
For developing secure-by-design, IEC 62443‑2 compliant applications with PLCnext Technology, get a good grasp of the concepts used in the security context.
User authentication usually requires a set of restrictions as to how long and complex a password needs to be and which characters a user can choose. With the security demand of periodical changes, the expiration of passwords need to be defined.
- See the User Authentication WBM topic for the general handling of users rights and roles.
- See the Authentication failure handling topic for more background on general restrictions that can cause problems.
Working with rule sets
With firmware 2022.0 LTS or newer the password policy also depends on rule sets so different presets can be administered for different contexts.
The password complexity rules are predefined and depend on the rights of each user. You may need to adjust the rule set to meet the needs of your application.
Pre-defined rule sets
With firmware 2022.0 LTS and 2023.0 LTS, the "Admin Ruleset" and the "Default Ruleset" are pre-defined as described below.
- Adapt the rule set to the conditions of your application.
Admin Ruleset
We advise that the user roles Admin, SecurityAdmin, SecurityAuditor, UserManager, CertificateManager and Engineer have the rule set "Admin Ruleset" by default. The following password rules are set:
- The username must not be included in the password.
- The last five passwords must not be reused.
- The password must contain at least ten characters.
- The password must contain at least one uppercase letter and one lowercase letter.
- The password must contain at least one number.
- The password must contain at least one symbol. The allowed symbols are:
{}()[]#,;.:^?!|_'~@$%/\=+-*&
Default Ruleset
All other user roles may have the rule set "Default Ruleset" by default:
- The username must not be included in the password.
- The last five passwords must not be reused.
- The password must contain at least eight characters.
- The password must contain at least one uppercase letter and one lowercase letter.
- The password must contain at least one number.