Question about Password policies in Epicor

Good insight Jose, thanks for the responses!

-ben

Hey all,


I haven't seen anything in Epicor, or in searching this group regarding this so I'll ask the question:


Is there any way to set different rule requirements on Epicor User Account passwords? I'm thinking rules such as minimum number of characters, requiring mixed characters (lower/uppercase, numbers and symbols), not allowing the same password after a password expires, etc.


For our annual IT audit, the auditors are hounding me a bit on the security of our Epicor User Accounts, hence the need for this.


What have you all done to solve this problem? At this point we are using the built-in Epicor authentication; I'm planning on moving to SSO (single sign on) with our AD once we upgrade to Epicor 10 later this year—which would definitely take care of this issue.


But is SSO/AD the only way we have to ensure strict password requirements for Epicor User Accounts? I'd love to hear your feedback/experiences on this!


Thanks in advance,

Ben Ahlquist

You could write BPM's to check for different lenghs and things of that sort. Though you'd be hard pressed to do the "previous passwords bit" this way without tracking all the passwords yourself


Jose C Gomez
Software Engineer


T: 904.469.1524 mobile

Quis custodiet ipsos custodes?

On Fri, Feb 13, 2015 at 1:03 PM, benahlquist@... [vantage] <vantage@yahoogroups.com> wrote:

Â
<div>
  
  
  <p></p><p><span>Hey all,</span></p><p><span><br></span></p><p><span>I haven&#39;t seen anything in Epicor, or in searching this group regarding this so I&#39;ll ask the question:</span></p><p><span><br></span></p><p>Is there any way to set different rule requirements on Epicor User Account passwords? I&#39;m thinking rules such as minimum number of characters, requiring mixed characters (lower/uppercase, numbers and symbols), not allowing the same password after a password expires, etc.</p><p><br></p><p>For our annual IT audit, the auditors are hounding me a bit on the security of our Epicor User Accounts, hence the need for this.</p><p><br></p><p>What have you all done to solve this problem? At this point we are using the built-in Epicor authentication; I&#39;m planning on moving to SSO (single sign on) with our AD once we upgrade to Epicor 10 later this year—which would definitely take care of this issue.</p><p><br></p><p>But is SSO/AD the only way we have to ensure strict password requirements for Epicor User Accounts? I&#39;d love to hear your feedback/experiences on this!</p><p><br></p><p>Thanks in advance,</p><p>Ben Ahlquist</p><p></p>

</div>
 


<div style="color:#fff;min-height:0;"></div>

Thanks for the quick response Jose!

So do you tend to see folks go two basic routes?

1.) Use Epicor authentication and don't worry about strict password rules

2.) Use SSO and pass on the strict password responsibility to Active Directory

I'm just trying to gauge what the common practice is here.

Thanks,
ben
I seldom find anyone using Epicor std Auth and worrying about password policies.... the few that do.... would implement BPMs and such as I mentioned
SSO works well enough (in most recent versions).... though I would say only about 20% or so of people use it.

My guess would be that if you are terminated from company X your VPN access is removed so access to the ERP is not really an issue.... and most people do not run their ERP over the WAN where the password policy could be a big issue.


Jose C Gomez
Software Engineer


T: 904.469.1524 mobile

Quis custodiet ipsos custodes?

On Fri, Feb 13, 2015 at 1:25 PM, benahlquist@... [vantage] <vantage@yahoogroups.com> wrote:

Â
<div>
  
  
  <p>Thanks for the quick response Jose!</p><div><br></div><div>So do you tend to see folks go two basic routes?</div><div><br></div><div>1.) Use Epicor authentication and don&#39;t worry about strict password rules</div><div><br></div><div>2.) Use SSO and pass on the strict password responsibility to Active Directory</div><div><br></div><div>I&#39;m just trying to gauge what the common practice is here.</div><div><br></div><div>Thanks,</div><div>ben</div><p></p>

</div><span>
 


<div style="color:#fff;min-height:0;"></div>