HOW TO MODIFY YOUR SECURITY SETTINGS

Ripple offers site administrators to modify a series of security settings. We recommend all site administrators to review the settings in their site account often and consult the security IT guidelines at their institutions to ensure that the selected settings meet their institutional requirements.

To access the security settings, click Site Admin on the upper menu of the Ripple app. This link will only be visible to site administrators. Then click on the security tab on the left menu. See the figure below.

 

General Settings:

Login Attempts. You can set the number of unsuccessful login attempts before the user account is locked. In the example above, if a user tries to login with the wrong password 5 consecutive times, the user account will be locked and a site administrator will need to unlock the account by visiting the Team menu in the Site Admin dashboard.

Simultaneous Sessions. By default, Ripple prevents simultaneous active sessions by the same user. If a user is logged in and a new session by the same user is started on a different browser, the original session will be terminated.  However, Ripple allows site administrators to change this setting to allow simultaneous sessions. Note that most institutions do not allow the sharing of user credentials for applications that manage personal information. Please consult with your IT team before changing this setting.

Inactivity:

Automatic Logoff. Ripple allows site administrators to establish the length, in minutes, that a session is inactive before the application automatically logs off the user. Automatic termination of inactive sessions is critically important in order to prevent exposure of sensitive information to unauthorized computer users if a session was inadvertently left open. We recommend that site administrators set this setting to a maximum of 10 minutes.

Automatic Lock of Unused Accounts. Ripple automatically locks accounts that have not been used for a predetermined amount of time. Best practices for applications managing health information is to lock accounts after 3 months of inactivity.

Passwords:

Password Expiration. Ripple allows administrators to set an expiration time for all passwords. There is a significant debate in the IT security world as to whether mandatory password expiration increases security given that examinations of the impact of this practice suggest that frequent password expiration may do more harm than good. (see this discussion from the FTC Chief Technologist). However, password expiration is often standard practice in health IT and may be required by your institution. Please consult the requirements of your institution regarding your password expiration guidelines.

Password Reuse. Ripple prevents users from using past passwords when a password is reset. Administrators can set the number of previous passwords that Ripple will prevent from reuse. For example, the Ripple default is 4. Thus, when resetting a password, the user will be unable to use the last 4 passwords used in his or her account.

Password Minimum Length. Use this setting to require a minimum character length for all password.

Password Strength. Ripple uses the zxcvbn algorithm to examine the strength of passwords.  This algorithm estimates how difficult it would be for a computer to crack your password. We recommend that this feature is set to not less than moderate.

Password Character Requirements. Ripple allows administrators to determine whether certain characters (numbers, symbols) are required.

If you have any additional questions about Ripple security settings please contact us at support@ripplescience.com