Sugar allows administrators to set up a vast range of password security features to ensure that the Sugar instance remains safe and secure.
In order to set up password management features, admin users must navigate to the Administration page and from there access Password Management. Here is where the requirements for the organisation can be set up, these include setting a minimum and maximum length of password along with further options to ensure that all passwords that are set up are secure and safe. These further options that can be enabled are:
- Must contain one upper case letter (A-Z)
- Must contain one number (0-9)
- Must contain one lower case letter (a-z)
- Must contain one of the following special characters (~,!,@,#,$,%,^,&,*,(,),_,+,-,=,{,},|)
Admin users have an extra ‘Advanced Option’ to set a Regex Requirement if this is required by the Organisation.
When it comes to managing the password creation for users admin has the option of enabling system generated passwords, when a user is set up or when an administrator selects the option to ‘Reset Password” the user will receive an email with a randomly generated password. In order to use system generated passwords, the user needs to have a valid primary email address configured in their user profile and the system outbound email server (SMTP) needs to be configured, if one or both of these is incomplete then the user will not receive an email containing the password.
For further security administrators have the option of setting up an expiration date on system generated passwords so they can specify how long they will last before forcing the user to create a new unique password, this could be days, weeks or months, or an expiration can be set up based on the number of logins allowed before the user is forced to create their own unique password. If a user has forgotten their password then admin can enable the user reset password function. When enabled a link will display on the Sugar login window and if a user selects this then they will be sent an email guiding them through the process of resetting their password. As with the above system generated password feature for the user reset password feature, there must be a valid primary email address in their user profile and the system outbound email server (SMTP) must be configured. Sugar comes with two standard email templates, one for system generated passwords and one for the reset password email template, both of these templates can be edited or replaced.
Within the password management, there is also the option to enable CAPTCHA validation, which when enabled and a user attempts to use the forgot password feature they will have to confirm a CAPTCHA. There is also the option of a Honeypot validations which when enabled will add an invisible input field to the forgot password form which only bots reading HTML will be able to see when the bots fill in the honeypot field sugar will know to disregard this submission since it was not created by a human.
As an added security benefit Admin is able to set up an expiration for all user-generated passwords thereby forcing users to update their passwords after a certain time period or after a certain amount of logins. To further prevent unauthorised logins Sugar has a lockout function, this means that after a defined amount of unsuccessful login attempts the username will be locked out and unable to attempt to log in for a given amount of time, this can be set to minutes, hours or days.
As a final security measure Sugar can also respect External Authentication such as LDAP and SAML.