...
Minimum password length for administrators. The length is enforced when setting a new password or changing the existing one. For security reasons this cannot be set lower than 8 characters.
(default: 8)
Password must contain
By checking the required character groups (lowercase and uppercase, digits, symbols) it is possible to increase the complexity of used passwords. The following characters are considered as symbols: ! @ # $ % ^ & *. The character groups are checked when when setting a new password or changing the existing one.
(default: all unchecked)
Forbid leaked passwords usage
When enabled, ensures any new password must not be a part of a known password data breach. The "Have I Been Pwned (HIBP)" service is used to check this. The password is not sent anywhere for this check. Only a 5 character fragment of the SHA1 password hash is sent. For more information see: https://haveibeenpwned.com/API/v3#PwnedPasswords. This is checked when setting a new password or changing the existing one.
(default: disabled)
Password rules for users
The following rules for user passwords are valid only for local users (created directly in the SOFiE application by an administrator). Remote users (from AD/ADFS) are not affected.
...
Minimum password length for users. The length is enforced when setting a new password or changing the existing one. For security reasons this cannot be set lower than 8 characters.
(default: 8)
Password must contain
By checking the required character groups (lowercase and uppercase, digits, symbols) it is possible to increase the complexity of used passwords. The following characters are considered as symbols: ! @ # $ % ^ & *. The character groups are checked when when setting a new password or changing the existing one.
(default: all unchecked)
Forbid leaked passwords usage
When enabled, ensures any new password must not be a part of a known password data breach. The "Have I Been Pwned (HIBP)" service is used to check this. The password is not sent anywhere for this check. Only a 5 character fragment of the SHA1 password hash is sent. For more information see: https://haveibeenpwned.com/API/v3#PwnedPasswords . This is checked when setting a new password or changing the existing one.
(default: disabled)
Password rules for packages
...
Minimum password length for password protected packages. For security reasons this cannot be set lower than 8 characters.
(default: 8)
Password must contain
By checking the required character groups (lowercase and uppercase, digits, symbols) it is possible to increase the complexity of used passwords. The following characters are considered as symbols: ! @ # $ % ^ & *. The character groups are checked when when setting a new password or changing the existing one.
(default: all unchecked)
Forbid leaked passwords usage
When enabled, ensures any new password must not be a part of a known password data breach. The "Have I Been Pwned (HIBP)" service is used to check this. The password is not sent anywhere for this check. Only a 5 character fragment of the SHA1 password hash is sent. For more information see: https://haveibeenpwned.com/API/v3#PwnedPasswords . This is checked when setting a new password or changing the existing one.
(default: disabled)
Mandatory package password - not logged in user
Enforce a password to be set for package access if it is uploaded by a NOT LOGGED IN user (anonym). If enabled, a package without a password (complying with the rules above) cannot be sent.
(default: disabled)
Mandatory package password - logged in user
Enforce a password to be set for package access if it is uploaded by a LOGGED IN user. If enabled, a package without a password (complying with the rules above) cannot be sent.
(default: disabled)
Password reset link lifetime
...
If the local user (see user types) has problems logging in and requests a password reset, a notification is sent to his email, containing a temporary unique link allowing him to set a new password. This setting specifies for how many minutes is this temporary link valid.
(default: 30)
For administrator requested reset
If the administrator requests a password reset for some local user, a notification is sent to the user’s email, containing a temporary unique link allowing him to set a new password. This setting specifies for how many minutes is this temporary link valid.
(default: 1440 = 24 h)
For newly created user and administrator accounts
When creating a new local user or administrator, the administrator can, instead of directly setting the password, send a temporary unique link allowing the recipient to set his initial password himself. This setting specifies for how many minutes is this temporary link valid.
(default: 20160 = 14 days)
Login and authorization lifetime
...
Lifetime of authentication JWT tokens in seconds (60 - 1000000). The token is renewed by every user action so it is also a session idle timeout before logout.
(default: 1800 = 30 min)
Maximum login session timeout
Absolute lifetime of authentication JWT tokens in seconds (60 - 1000000). After this time, the token cannot be renewed by user action any more and user is logged out.
(default: 28800 = 8 h)
Password protected package access validity
Number of seconds for which a password protected package can be accessed without re-entering the password (60 - 1000000).
(default: 1800 = 30 min)
Validity period of one access to a package with a limited number of accesses
Time in seconds allowed to access a package with a limited number of accesses that will count as one access (60 - 1000000).
(default: 1800 = 30 min)
reCaptcha
reCAPTCHA secret key
...
Sets the reCAPTCHA score threshold, specifying the score value above which a request is not considered spam (number from 0 to 1, see https://developers.google.com/recaptcha/docs/v3#interpreting_the_score). Default recommended value is 0.5.
(default: 0.5)
Enable reCAPTCHA results logging
Enables or disables the logging of reCAPTCHA test results into the audit log. Should be enabled only temporarily during debugging of problems with sending of packages, because it may create a lot of log entries.
(default: disabled)
Other settings
Trusted proxies
...