Configuring Security

Under Security, you can set the following options:
Session timeout: Log out users after this many minutes of inactivity (1-480 minutes).
Require strong passwords: Require passwords to be at least 8 characters and contain at least one uppercase letter, lowercase letter, number, and symbol.
Password expiration interval: Reset the number of days before a user must change the password (1-720 or blank).
Failed login count: Reset the number of failed logins within Failed login interval that will cause the account to be locked (1-20).
Failed login interval: Number of minutes within which Failed login count results in account being locked (1-60).
Self registration: Determines whether non-users can create or request user accounts. Choose from the following options:
  • none Not allowed.
  • moderated You must approve the account before it is created. If you allow self-registration, the moderated setting is recommended for security.
  • unmoderated After a user registers, the user’s account is automatically created.


If users are allowed to self-register, they see a Request an Account link on the login page. After a user clicks this link and completes the form, you are prompted under Admin > Accounts > Self Registration to Approve, Deny, or Delete the user’s account. You can also perform a status search for new accounts.

Admins can configure whether they receive emails whenever there's a new self registration request in their personal preferences. By default, admins are opted into receiving these emails. To change the default setting, see Configure Email Settings.

The email template for such emails is also configurable. For more information on customizing templates, see Creating Email Templates.