On this page you can configure how Next ADI should handle passwords to keep your users credentials safe.

Password options of Next ADI

Password

Set local password on first successful login

The first time a user logs on in WordPress, his local password will be equated with the password he used to authenticate against the Active Directory. If Set local password on first successful login is enabled, the user’s AD password will be stored in the WordPress database. If this option is disabled, a random password is created by WordPress as empty passwords are not allowed for WordPress user accounts.

The option does only work if User > Automatic user creation is enabled.

Please note: Because of security reasons, this option is disabled by default. We want to encourage you, that you only enable this option if you have a strong case for needing it.

Enabling this option increases the attack vector on your WordPress instance. Passwords are no longer only stored inside the Active Directory, they are also stored in the WordPress database. Although the passwords in the WordPress database are encrypted, there could be a brute force attack to crack the passwords if your database gets compromised.

Allow local password changes

Enabling this option allows users to change their local WordPress password. This option has no effect to the Active Directory password. Local passwords will never be synchronized back to the Active Directory.

Fallback to local password

If this option is enabled, users who failed to authenticate against Active Directory can authenticate against the local WordPress password check. This might be a security risk if, for example, the local password is outdated. We recommend to disable this option.

Automatic password update

This option updates the local password every time a user successfully logs in. If a user has changed his Active Directory password and successfully authenticates against Active Directory while trying to login to WordPress, his local WordPress password will be equated with the new Active Directory password.

Note: Activating this option makes little sense if Allow local password changes is enabled. Works only if User > Automatic user creation and User > Automatic user synchronization is enabled.

Enable lost password recovery

Turning this option on will allow users to reset their local password in the login screen. The Active Directory password can never be recovered.