How to Set Up Secure Passwords for Users in CBAS 20
Cybersecurity in today’s modern world is serious business. As the technologies used in Smart Buildings become more advanced it is important to ensure that the components that make up these systems are secure in an effort to mitigate the risk of cyberattacks.
Computrols consistently develops and improves the security of our products in an effort to ensure the security of the systems that our products control within the buildings that we live, work, learn, and play.
For this reason, it is important to ensure you stay up-to-date with software upgrades as each new release typically offers security enhancements.
In CBAS 20 there are enhanced password features. As part of the upgrade from a legacy version of CBAS to CBAS 20, we suggest taking this opportunity to clean up the users in your database, review the access levels assigned to each user, and to make sure that each user has their own unique credentials to ensure that usernames and passwords are not being shared or left behind once someone has moved on.
Initially, there are three steps we recommend. First we must make sure that anyone who wants to command a point (like change a setpoint or turn on\off a piece of equipment) has to log in before doing so. This means taking away any rights from the Default User other than viewing the database. Default is the user that is enabled after an inactivity timeout or a user logs out. You should always log out when you are about to walk away from CBAS, or you risk being given credit for something someone else did after you left.
Second, all users must have a CBAS 20 login for this to work. Limit the user’s rights based on their knowledge, training and experience level. After the fact, the User Activity report can be used to see who did what to what point. The CBAS 20 Manual on our website has detailed instructions on setting up users and running reports.
Third, there are options for enforcing strong passwords to be used. This is done by requiring users to have more complex passwords. On the System Menu in CBAS, go to Setup Passwords. You might have to log in to see this on the menu. The settings apply to all Users in the system including Computrols.
To configure this, first set a minimum character length requirement for passwords in the database. Most sites require 8 characters.
Next, you can check the boxes to:
Require at least one Upper Case Letter,
Allow lower case letters,
Require at least one numeric digit,
Require at least one special character. The possible characters are shown.
To the right you are given a rating up to 5 stars for password strength requirements.
Next, you can set a number of days before passwords expire. This defaults to zero which indicates the feature is not being used. To use this feature simply enter a numeric value that aligns with the number days the account can be used prior to expiration.
To use this feature, enter a number that locks the user out after so many failed attempts to log in. Leave default 0 to not use this feature. The expiration feature can be used without locking a user out.
You can also set the number of attempts a user has to successfully login prior to being locked out.
There is also a feature that allows you to use a fingerprint reader to log in. This was initially added to work with our Critical Alarm Workstation feature.
Once edited and saved, if you go back it will show you when and who edited the settings last.
In the bottom grid, the users are listed and whether or not their passwords meet the criteria.
IF THE USER DOES NOT MEET THE CRITERIA, THEY WILL NOT BE ABLE TO LOG IN!
This means passwords must be changed after setting the requirements.
There will be a YES in the Locked Out column if the user is locked out after failed attempts.
The last column gives the password strength rating.
If a user is locked out, an Advanced User can go into Program Passwords and unlock the user.
An “Advanced User” is one that has the Advanced User box checked.
Everything that the Advanced User checkbox enables is listed in the CBAS 20 Manual, Chapter 6: System Menu.
One other thing you can do to increase security is to shorten the Inactivity Timeout. This is done in System, Configure Workstation and is 30 minutes by default.