LuxSci has released a set of user password security features that complement many of its existing password security options so that, as a whole, they meet the needs of any kind of password security requirement.

This post reviews many of the existing password security options and highlights the new ones.

Read the rest of this post »

Many companies, LuxSci included, recommend or require that users have one or more “Security Questions” and corresponding answers associated with their accounts.  These questions are commonly used to:

• Verify a user’s identity if the user has forgotten his/her password, or
• Provide a second factor for logging into the service above and beyond the username and password

Because these questions are used to provide access to the service and identity verification, it is very important that questions and answers be well chosen.

Read the rest of this post »

Passwords are the keys to a person’s identity.  However, it is more and more often the case that we hear of passwords and their corresponding usernames falling into malicious hands … causing financial loss, time loss, emotional distress, and worse.

In this day and age, you pretty much have to use the Internet and deal with passwords and security issues.  You can take many steps to protect yourself from password theft and to minimize the damage caused if a password were to fall into the wrong hands.

Common Ways Passwords are Compromised

In order to protect your passwords, we need to have a good idea of what we are protecting them against.  The most common ways that people’s passwords are discovered by others include:

Read the rest of this post »

LuxSci now provides account administrators with the option of having user passwords “expire” once they become “too old”.  Many organizations have internal policies requiring that users change their password periodically, such as every 90 days, every year, etc.  This new feature allows enforcement of such policies for users of LuxSci accounts.

Read the rest of this post »

It is a fact of life that passwords are the keys to our online kingdoms … and that keeping these passwords safe is critical to preventing identity theft, ensuring corporate security, keeping private things private, and much more.

However, the number of distinct places that we log into seems to constantly grow.  We have to use secure passwords for all of them and should not use the same password for any two of them.  Oh ya, we should also change our passwords frequently!

Its dizzying and makes your head spin.  Few can remember the plethora of changing passwords and, in desperation, either use the same poor password for everything or use written cheat sheets listing all of the user names and passwords for easy reference (and easy peeking by others should they get a hold of it).

Read the rest of this post »

Account administrators can now flag users who should be required to change their passwords on their next secure login to the web-based user interface.  This allows for enhanced account security.

Account administrators can flag a user for password change by checking a check box to this effect in the administrative user configuration area of the LuxSci web site.

Accounts using LuxSci’s API can also flag users for password change at any time, including at the time of user creation.  This feature makes it easy for account administrators to create new users and have them be required to change their initial passwords as soon as they login.

To address the request of many clients, LuxSci has simplified the process of picking up SecureLine Escrow encrypted email messages.  This change makes message pickup faster and easier and improves the usability of the SecureLine service overall.

Read the rest of this post »

LuxSci has long supported and recommended the use of security questions for users.  When a user has a security question and answer, LuxSci support can use this as an alternate method of verifying the user’s identity.  This is important when the user has forgotten his/her password or certain types of requests need to be verified.

While we have allowed users to provide a security question for many years, and have asked new account administrators to provide one at sign up for about the last year, use of a security question has never been mandatory.  Starting today, all account and domain administrators are required to have a security question.  Those who do not will be automatically prompted to choose one the next time that they login to the LuxSci WebMail user interface.

Users can choose a pre-defined question, or enter a question of their own.

We hope that this change improves the security of accounts and assists account administrators in recovering access quickly in cases where passwords are lost or where there is a dispute about account ownership.

If this change goes well, we will extend the security question requirement to all users.

If you are allowing Mozilla FireFox or Thunderbird to remember passwords to web sites and/or email accounts in their Password Manager tool, you should know that these passwords are all stored in a plain text file (base64 encoded) on your computer’s disk drive.  This file is accessible to anyone with administrative access to your computer.  If you have any concerns about the possibility of other people accessing your computer and this gaining easy access to copies of the passwords that you are using, you really need to employ the “Master Password” feature of these programs.

Read the rest of this post »

It’s the classic problem of having “too many keys”.  You have accounts on many different web sites.  Some are small and relatively insignificant, from a security point of view, like blogs or shopping sites.  Some are large and sensitive, like banking and PayPal accounts.  Since unified login mechanisms like OpenID are not yet pervasive, you must remember the usernames and passwords for every single site.  This is a truly daunting task.

Ideally, you would like to use passwords that are “strong” (i.e. very good, not easily guessable) and different for every site.  However, how can you remember each secure and unique password without resorting to a “cheat sheet”?

Read the rest of this post »