If you are looking to enable users, you may have questions regarding the security RPM has in place to protect your subscription. 

What we offer for password security and can be broken down into three sections Default, Optional and Alternative login. Guide to changing your settings. 

  • For default settings, they cannot be disabled or bypassed. RPM will require the password to be between 10 and 64 characters long, the password cannot be the user's username, it cannot be all the same characters, and cannot be "password" or "12345678". 

  • For optional settings, they can be enabled as you see fit. These can be enabled individually or all at once. Have at least 1 capital and 1 lower case letter, At least 1 number and 1 letter, and/or at least 1 character that is not a number or letter. Please note if the setting is changed, users will not be prompted to change their passwords, it would be recommended to have them reset their passwords. 

  • For alternative login, you can allow your users to use Microsoft sign in instead of using the RPM username and password. Microsoft sign in can also be set to required and enforced for all of your Staff users. 

Does RPM allow the reuse of a password or similar passwords? 

  • Yes, RPM allows a password to be reused or similar passwords (e.g. "Password01" and "Password02") would be allowed. 

Can we use a dictionary to prevent the use of character substitution, keyboard patterns, or breached passwords? 

  • Currently RPM does not support this feature.   

Who can create, update, or disable user profiles?

  • Only a staff user of the RPM subscription, with proper permissions, can enable, disable, or change passwords of users. A Super-user/System Manager can additionally force a sign-out of any user currently logged in. 

Does RPM support MFA (Multi-Factor Authentication)? 

  • Currently RPM does not support a direct MFA. Allowing Microsoft sign in would allow your users to use Microsoft's support of MFA to sign in. 

Does RPM lockout accounts after consecutive failed logins? And how does RPM prevent brute force or other attacks? 

  • RPM will limit logins to ten failed sign-in attempts. After ten attempts RPM will lock out the account for ten minutes. RPM has also set up a WAF (Web Application Firewall) to prevent other programmatic attacks. 

Does RPM configure special end points? How often does the API need to be authorized? 

  • RPM has no special endpoints configured. If using the API, each call it makes requires authorization. 

How long will a user remain logged into RPM before they will be required to enter their password? 

  • RPM will log a user out after 24 hours of inactivity.

How many instances of RPM can I have open with the same login? 

  • RPM allows one unique instance per login at a time. If you attempt to login a second instance with the same login, you will be forced to sign out the first. 

We want to enable users; how can we ensure they are picking a new password? 

  • When creating a user, you can send out the invite by email. This will have them create a new password on the first login. For existing users, they can click Forgot password? on the login page or reset the password from their user profile.

What self-serve options are available for a user to reset their password? 

  • The user can click Forgot password? on the login page. If they are able to login and want to set a new password, they can reset the password from their User profile page.

Will RPM reset my user's password or login details if they email into support? 

  • RPM will not reset a user's password or provide login details. The user must speak with the RPM subscription holder.   

Can I use secret questions for my users when resetting passwords? 

  • Currently RPM does not support the use of secret questions.  

Can I enable for RPM to expire a password after a certain length? 

  • Currently RPM does not support passwords with a fixed length expiration. 

How does RPM protect passwords of users? 

  • RPM passwords are hashed using HMACSHA1 with password salt and it is not reversible.

Can I see who is signing into RPM, and their details? 

  • RPM does provide a sign in history report that allows you to see which users are logging in, when they have logged in, their IP address, and browser information. 

Can I see all the activity a specific user has on their profile?

  • Currently RPM does not support a one-time report of all user activity. Activity history is tracked on the page where the change was made. 

Further Reading: