dl-breadcrumbs__homedl-breadcrumb-item__separatorConfiguration and programmingdl-breadcrumb-item__separatorProgramming with CODESYSdl-breadcrumb-item__separator...dl-breadcrumb-item__separatorAutomation Builderdl-breadcrumb-item__separatorDownloading an Application to the PLC dl-breadcrumb-item__separatorHandling of Device User Management dl-breadcrumb-item__separatorConfiguring the password policy and login lock
dl-pagination__prev-inactivedl-pagination__prev-activedl-pagination__next-inactivedl-pagination__next-active
Configuring the password policy and login lock

You can configure a password policy and login lock for the runtime system. Using these two mechanisms makes sure that the credentials configured for the controller are as secure as possible and that attackers cannot guess the credential by repeated attempts. By default, a password policy is not enabled. The login lock is enabled by default for the administrator user group because this user group needs to fulfill increased security criteria and should also be better protected. When the maximum number of login attempts has been exceeded, the user will be locked out for the configured amount of time (3600 seconds by default).

Unlocking a locked user : The following options are available for unlocking a user who has been locked for a specific period of time:

  • An administrator or a member of a user group with write permission for the user group of the locked user assigns a new password for the user.

  • The runtime system is restarted.

Enabling and changing a password policy

  1. In the device tree, double-click the controller .

    The device editor opens. The “Communication Settings” tab is displayed.

  2. In the header, click the “Scan Network” button, and in the “Select Device” dialog, select the desired device. Then click “OK”.

    The active path to the controller is set.

  3. In the “Device” menu, select “Change Runtime System Password Policy”.

  4. In the “Change Runtime System Password Policy” dialog, select the “Password policy is active” option.

    The password policy with the displayed password settings is enabled.

    The detailed default password settings can be found in the description of the dialog.

  5. Change individual password settings as needed.

  6. Click “OK” to confirm the changes made.

    The configured password policy is immediately applied when creating a new user and when changing the password for an existing user. Only new passwords which fulfill the password policy can be created.

Configuring a login lock

  1. In the device tree, double-click the controller.

    The device editor opens. The “Communication Settings” tab is displayed.

  2. In the header, click the “Scan Network” button, and in the “Select Device” dialog, select the desired device. Then click “OK”.

    The active path to the controller is set.

  3. In the “Device” menu, select “Change Runtime System Password Policy”.

  4. In the “Change Runtime System Password Policy” dialog, you can change the default settings for the login lock or disable the login lock.

  5. Click “OK” to confirm the changes made.

    The configured login lock is immediately applied when logging in to the device user management for users of the user group selected in the “Scope”.

    When the number of login attempts specified in the “Maximal Retries” field is exceeded, the user will be locked out for the amount of time which is specified in the “Lock duration” field.

For more information see: ⮫ Overview of the objects