Enhanced Security Features

Written by Philippe Dame • Posted on August 29, 2014
With a long history of building enterprise-grade software, we’ve drawn on our experience to extend Recollective functionality to protect the integrity of all user accounts. As part of the Recollective Release: August 2014, you can now visit Site Administration > Site Setup > Account Settings to...
  • Enable and configure an automated password expiry policy
  • Block the re-use of past passwords for a customized duration
  • Block too many failed attempts to login with a temporary account lockout
  • Limit session duration and use or duration of the "Remember Me" function
  • Optionally use non-reversible password encryption
These new features add to the already extensive suite of security-related software features. For more information, or to learn about an Enhanced Security infrastructure package, please contact us.

Advanced Password Rules

Recollective has always been able to force password length and complexity, but in this release we’ve added the ability to force periodic password changes and to block the re-use of past passwords. Password_Rules Administrators can configure when passwords expire, how soon participants are warned, any grace period provided after expiry and how far back the system should go when blocking previously used passwords.

Account Security

The most vulnerable part of any application is often where participants and administrators are authenticated. Many administrators don’t want to ask participants to create and remember very complex passwords and thus we must ensure that any attempt to guess passwords be severely limited. Recollective now includes the ability to limit login attempts to the same account. You are able to set how many failed attempts are permitted before a lockout period is imposed on that account. A lock can be immediately removed by doing a password reset (which goes through the registered email address of the account holder) or by asking an administrator to unlock the account via the Site Administration area. Security_Accounts One or more administrators can be notified every time an account lock is imposed. It will report which account was locked, the user’s operating system, browser, IP address and location. For comparison, the same data is provided for the last successful login on that account. A link is provided directly to the Site Administration area where an “Unlock” button can be selected.

Session Security

Once a participant or administrator is authenticated, they have a session in the application. This permits them to travel from page to page without being logged out. New security settings now lets sites customize how long those sessions last after a user has been inactive. A different value can be set for participants and administrators. During the login process, users can be permitted to activate a “Remember Me” option. This tells Recollective to trust the specific computer or device being used in the future. Recollective will automatically login the user on that computer. You can now control if that option is available and for how long that trust should last. Security_Session Please note that if a user chooses “Remember Me” and later selects the “Logout” option, this will cancel the “Remember Me” setting. If you are using a shared or non-secure computer, you should always manually logout of your account as a precaution.

Password Encryption

Account passwords are stored by Recollective using strong symmetrical encryption. This means the software can decrypt the password when required. This is used primarily to help imported participants that must be communicated their (often temporary) passwords. For extremely security conscious organizations, the sharing of passwords in email or on-screen is deemed a risk and they prefer to have passwords stored such that they can be verified but never decrypted, even by Recollective. In this release, we have introduced a new option to enable non-reversible password encryption. It is available upon request and should be enabled during the site setup process. The setting can be changed mid-study but every account password would be invalidated (each user would need to do a password reset). If you’d like to learn more about Recollective security, please contact us today.
READ MORE about the Recollective Summer Release: August 2014

Want to chat about this topic?

Get in touch!