Account Configuration

How to View Subscription Information

To access the Subscription Information workspace, follow these steps:

1. Click the Admin tab.
2. Click Subscription Details.

Session Settings

The Session Timeout controls how long the application can be open on someone's computer before the system automatically logs them out. By setting a short session timeout, you can make it harder for unauthorized users to access your account. For example, if a user logs in, then walks away from the computer, the session will time out, preventing someone else from using that computer to access the account.

As a best practice, consider a 20 minute Session Timeout.

The Require Secure Connections (https) option decides whether people must log in to your system using a secure connection. For most users, selecting this checkbox has no practical impact on how you use the system, but using the secure connection helps prevents people from reading users; traffic and stealing usernames and passwords. A secure connection also helps protect your subscribers' private information.

Unless there is a specific reason not to, everyone should Require Secure Connections.

Note: The Require Secure Connections (https) checkbox does not enforce secure connections for the API. API users must use secure connections through a separate process.

Username and Logins

The Login Expires After Inactivity setting prevents a user from logging in to the account after not logging in for a number of days. For example, if you set this value to 90 days and a user does not log in for 90 days, then the user's login information must be reset. This setting helps prevent unauthorized users from exploiting old accounts.

As a best practice, set the value to 90 days or less.

The Invalid Logins Before Lockout setting determines how many chances a user gets to enter the right password for a username before the system requires them to reset the password. This settings helps prevent unauthorized users from guessing a password by trying over and over.

As a best practice, set the value to 3.

The Count Invalid Logins Across Sessions setting works with the Invalid Logins Before Lockout Setting. By counting invalid logins across session, you prevent an unauthorized user from resetting the count of wrong passwords by closing the browser window and opening a new one.

Everyone should set this field to Yes.

The Minimum Username Length setting determines how many characters must be in a user's password. A longer username is more difficult to use a computer to guess. Email addresses can be good usernames because they are long, unique, and easy for the user to remember, however, they can be easy to guess if your company's email addresses are widely known.

As a best practice, your usernames should require at least eight characters.

Password Policies

The Minimum Password Length setting determines how many characters must be in a user's password, and the Password Complexity determines the types of characters that must appear in the password.

A longer password is more difficult to guess because of the number of possibilities. For example, if a password is one letter long, there are only 52 possibilities to guess (all the lower-case and all the upper-case letters). However, if a password is two letters long, there are 2704 possible combinations. A few thousand possible combinations may seem like a lot to you, but that is a very small number for the programs that specialize in guessing passwords. The longer the password, the more difficult to guess. Add in the possibilities from number and special characters, and the difficulty of guessing the password goes up.

As a best practice, set the Minimum Password Length value to at least 8. To encourage your users to create longer passwords, ask them to develop a passphrase with multiple words. For example, the passphrase How_do_I_love_thee,_let_me_count_the_ways:123 is 45 characters, but still very easy to remember. The phrase should be something personal so it's easy to remember, but not easy for people you know to guess.

The Enforce Password History setting determines how frequently a user can reuse a password, and the User Passwords Expire In setting determines how often users must create new passwords. For example, a user might use just two different passwords and alternate between them. If one of those passwords is compromised, then the unauthorized user who knows the password has access to the system half of the time. Enforcing a longer history reduces the time unauthorized user has access.

Some users will include a number in their password and increment the value. The system will allow this, but it is not a very secure password. Setting the password expiration to be too short can encourage this behavior, and other non-secure activities, such as writing passwords down. A shorter expiration is more secure only if it doesn't cause users to compromise their passwords.

As a best practice, set the Enforce Password History value to at least 8. Set the User Passwords Expire In value to 90 days.

The Exclude API Users From Password Expiration field allows you to set users with the API User checkbox selected to avoid having to change their password. This is a convenience for applications, but it comes with the price of very high risk. An API user may be the easiest to compromise because there is not necessarily a human monitoring the activity to see when unusual things happen.

Unless absolutely necessary, do not select this option. Instead, have API users schedule time to change the API user password when necessary.

The Send Password Change Confirmation Email decides whether the system sends an email notification to a user after a password is changed. The email helps alert a user to suspicious activity on their account. 

Everyone should select this option.