As data breaches become more common, organizations start re-examining their security policies. In particular, they look at how their employees access company cloud-based services. In the past, IT teams would secure employee devices and tools with VPNs or company-owned hardware. But the rise of cloud applications and mobile devices brought new security challenges. Employees can now work from anywhere, on any device, and use various networks to access company data. Hackers can use that to intercept employee passwords and find an easy way to gain access to corporate systems. That’s why IT leaders need to take action now and protect their organizations against these threats. And the password security problem should be at the forefront of their mind.
Password Policy in Jira
A report by Preempt revealed that 19% of enterprise professionals tend to use weak passwords or share them, which makes their accounts easily compromised. If your team uses Jira in their daily work, you need to make sure that their accounts are protected by strong passwords that are changed on a regular basis and match the industry standards. We designed the Enterprise Password Policy app to do just that.
Jira offers a password policy feature out-of-the-box, which enables administrators to set restrictions and limits on the types of passwords for Jira users. This feature is disabled by default, so to take advantage of it, you need first to turn it on and configure according to these instructions. Remember that the policy will only work as long as Jira users can change their passwords. For example, if your Jira instance is connected to Active Directory, it doesn’t make sense to use this feature. Our app complements it and gives Jira administrators full control over various aspects related to setting, managing, and renewing passwords.
Enterprise Password Policy – key features
We designed the app to boost the strength of user passwords on the basis of rules defined by Jira administrators. Here are some key features of Enterprise Password Policy that come in handy to every administrator who wants to ensure the top security of their Jira instance:
- Setting the rules passwords must meet to be valid. With Password Policy app, administrators can configure requirements for passwords. For example, they can set that minimum number of characters that passwords should contain, the number of uppercase and lowercase characters, the number of non-alphanumeric characters, and the number of digits characters. Naturally, administrators can also set a maximum password length rule that enables only specific password lengths in their system.
- Maximum password age. Administrators can force a password change on Jira users periodically with this feature by setting the number of days a password is valid. Once this period expires, the user will have to change the password.
- Blocking user accounts after password expiration. Users who did not change their password before it expired will no longer be able to log into the system. The administrator can enable this function by setting the number of days from password expiration after which the user account will be locked.
- Blocking accounts after a given date. This feature will come in handy to administrators who want to set up temporary accounts. For example, if you employ external suppliers or temporary workers, your administrator can create a Jira account for them that will be automatically locked after a particular date of the user tries to log in again.
- Notifying password expiration. If enabled, this feature checks user passwords every minute and sends a notification to those whose passwords are nearing their expiration date. That way administrators can make sure that users receive information about the password policy right on time without having to set up alarms manually.
- Password history is another smart feature you can use to protect your Jira instance better is making sure that users don’t set passwords to their account they have used previously.
How to use Enterprise Password Policy?
The app will support only users located in the Jira Internal Directory. After the first login, new users will be redirected to a special change password page where they have to input their password to be validated. That’s where administrators make sure that new passwords meet their rules.
Here is what the change password page looks like:
Users will see all the rules defined by the administrator for creating a new password. In this example, a valid password must match at least three of the four rules established by the administrator in the bullet point list. Moreover, the administrator also defines the length of the password between 8 and 250 characters and reminds users that they can’t set a password they have used previously.
If the administrator enables the password expiration notifier, users will get an email with information that their password stored in Jira, Confluence, and BitBucket server will expire soon. Administrators can change the content of the email message to match their needs. If the password expiration policy is enabled for Jira users, the users whose passwords have expired will be forced to change their password while attempting to log into Jira, Confluence, and Bitbucket server. If their account is locked, their attempt to log in will fail, and they will see the following message: ‘Your password has expired and must be changed.’
As Andrew Rossow stated in the Forbes article, ‘Security should be as easy to use as apps – swiping, shaking and a few clicks should get you what you want.’ With our app, you can protect your organization from security breaches by enforcing a smart password policy which ensures that users create passwords according to your rules, never share or reuse them, and fail to log in once they expire.
Curious about Enterprise Password Policy? You can have a free 30-day trial on the Atlassian Marketplace to see the security benefits it can bring to your organization.
Also published on the Atlassian Community.