• • • Overview By default, ProcessMaker passwords will never expire and they only need to contain a minimum of 5 characters which can be all lowercase letters. Many organizations, however, store very sensitive data in ProcessMaker and need to ensure that their passwords are not easily cracked.

In order ensure greater password security, define constants in the file /shared/sites//db.php, which will change the types of allowed passwords and their expiration date. The db.php file for the default 'workflow' workspace is generally found in Linux/UNIX at: /opt/processmaker/shared/sites/workflow/db.php In Windows, before ProcessMaker version 1.6-4260, it is generally located at: C: Program Files ProcessMaker apps processmaker shared workflow_data sites workflow db.php In Windows, ProcessMaker version 1.6-4260 and later, it is generally located at: C: Program Files ProcessMaker processmaker shared sites workflow db.php Edit db.php using a plain text editor such as Notepad or in Windows or or in Linux/UNIX. Examples: By default the minimum password length is 5 characters.

• • • • • • Overview By default, ProcessMaker stores users' passwords using hashes. However, ProcessMaker Enterprise Edition provides an option to save passwords inside its database using algorithm, which is a more secure that generates a 64 digit hexadecimal number inside the RBAC_USERS.USR_PASSWORD field. Hash functions provide a secure way of storing passwords because they can quickly generate the hash from the password and validate the password entered by the user during login, but the password can not easily be discovered from the hash, so it is not easy to crack. Installation When the Enterprise Edition is installed with its license, the Secure User Password Hash feature becomes available. Hex map.

Go to ADMIN > Plugins > Enterprise Manager > Enterprise Features to verify that the secureUserPasswordHash feature is installed and enabled. Set Password Encryption to SHA-256 ProcessMaker Enterprise Edition allows to change the type of encryption passwords will have inside the system. By default, after installing ProcessMaker all passwords are encrypted using the MD5 algorithm, nevertheless this type of encryption can be changed to the SHA-256 hash function. Linux Login as the 'root' user or use the sudo -i command to gain root access. Then, navigate to the directory where ProcessMaker is installed.

It also might be desirable to create a custom PIN for the case, either to provide a more memorable PIN or for greater security. The 4 character PIN provided by ProcessMaker by default is easy to crack with a brute force attack, so it recommended to create a longer PIN if greater security is needed.