User Password Security

XNAT provides secure storage for user passwords. Some security practices suggest requiring users to change their passwords on a regular basis. Sometimes events such as the discovery of a security vulnerability may necessitate requiring users to change their passwords if they haven't changed it since a particular date. XNAT 1.6.3 provides an easy-to-administer way to manage these requirements.

This feature was only added in XNAT 1.6.3 and is not available in earlier versions. Earlier versions of 1.6 did allow you to set a password expiration interval via a setting in the services.properties file, but did not have the feature to expire all passwords set before a certain date.

In both cases, you need to open the security settings dialog. Just go to Administer->Configuration in your XNAT application. Once you're there, click the Security tab. Look for the Password Expiration section:

By default password expiration is enabled and set to an interval of 365 days. You can change this to

  • A lesser value (e.g. 90 to force changes after 90 days)
  • A greater value
  • 0 to disable required password resets altogether.

There are differences of opinion in the security community about the effectiveness of requiring password changes at regular intervals. A good discussion of the pros and cons can be found here.

In some cases, you may want to force users to change their passwords if they haven't been changed since a particular date. A good example of this is the Heartbleed security vulnerability in the OpenSSL library. If your version of OpenSSL had this vulnerability, you would need to first patch your server to fix the immediate security problem. Then you should force users to update their passwords if they haven't changed them since you fixed the security vulnerability.

To do this:

  1. Click the Date radio button in the Password Expiration section.
  2. Enter the desired date in the text box or click the Select Date button to use a pop-up calendar (you can click the Use Today's Date link to automatically populate the text box with the current date).
  3. Click Save.

After this, all users who log in who have not changed their password since the configured date will be forced to change their password to complete the login process.

You may want to set a message on the front page of your server informing users about the required password reset and the reason for it. You can set this with the Site Description setting on the Site Information tab of the Configuration dialog.


$label.name