Making regular password changes mandatory

26. oktoober 2022


Erply allows an account administrator to define a policy that users must regularly change their passwords. This article explain how to configure the feature and how it works.

Mandatory password changes: a good practice or not?

Enforcing mandatory password changes is not universally regarded as a good security practice. Users often follow very simple patterns to pick their successive passwords (for example, by appending “1”, “2”, “3” to the original one) and might be tempted to use simpler passwords overall, even if they initially made an effort to create a strong random password. Deploying password management tools and educating users might have a more positive effect on security than enforcing regular password changes.

However, if mandatory password changes are a corporate security requirement, Erply has all the necessary tools for compliance.

Recent changes

The feature has been revised in October 2022. Earlier, mandatory password changes were a discretionary feature (a recommendation rather than a hard policy) that only worked in limited apps: login.erply.com and Brazil POS.

Now Erply is stricter: it blocks all access for a user whose password has expired. If you have turned the feature on in the past and it recently started working differently, please read the documentation below: it explains how to reconfigure or disable it.

Setup

Mandatory password changes can be enabled from “Settings” > “Configuration Admin” > “Login & security settings” in back office.

(If your account does not have the new menu bar and therefore no “Configuration Admin” option under “Settings”, please ask customer support to update the menu bar, or visit the following URL directly: 

https://conf-admin-ui.erply.com/?clientCode=<your account number goes here>

Configuration options.

In addition to checking the box “Users are required to regularly change their passwords”, please also:

  1. Specify the password change interval in days.
  2. Check the box “Users cannot re-use old passwords”.
  3. Specify how many previous passwords are disallowed for reuse. 

Integration users

Your account may be integrated with various external services: accounting, e-commerce, logistics partners, ERP systems. Please not that all these integrations, too, use a username and password for authentication.

You should turn off the password change requirement for these users. An automated service is unable to pick a new password, and should not have to.

First, please make sure that all integrations are configured with dedicated usernames. It is a good practice to create a separate username for each such service, rather than set up these services with your own login credentials. 

Secondly, please make sure the integration users are in their own user group (that is, separated from actual human users). If they are not, you can make a copy of an existing user group.

For the integration user groups, uncheck the following box (in Settings > User groups):

User group etting.

How the feature works

When logging in with an expired password, the following error message appears in back office:

Error message in back office.

 

Passwords can only be updated in login.erply.com. Note that the error message contains a link to login.erply.com.

In login.erply.com, after re-entering your credentials, a password change dialog will appear:

Password change dialog.

 

When logging in with an expired password, Brazil POS reports error code 1219:

Error message in Brazil POS.

 

Berlin POS, unfortunately, will display a nondescriptive error:

Error message in Berlin POS.