October 25th, 2011

A Bundle of Password and Login Security Enhancements

LuxSci has released a set of user password security features that complement many of its existing password security options so that, as a whole, they meet the needs of any kind of password security requirement.

This post reviews many of the existing password security options and highlights the new ones.

Password Strength: (existing feature)

Account administrators can choose how secure new user passwords must be.  This setting can be relatively weak (6 or more characters) to very strong (e.g. 8+ characters that have letters and numbers and which pass a password strength checking test).

Password strength can be configured account-wide, and/or on a per-domain basis.

Prevent Password Reuse: New!

LuxSci now keeps track of previously used passwords and when they were used (We keep “hashes” of these passwords for security reasons; we have no way of determining what these passwords actually were.)

When users change their passwords, they must now use a different password from any that they have used in the past year and which was not any of the last 4 used.  Preventing password re-use helps protect an account from unauthorized access.

Account administrators can weaken the password reuse requirement to be as weak as merely requiring that the new password be different from the current one; or strengthen it to require the password to be different from the last 8 used and to not have been used in the last 2 years.  This can be configured account-wide and/or on a per-domain basis.

Required Periodic Password Changes: (existing feature)

Account administrators can require users to change their passwords with some specified frequency.  This feature includes configurable emailed warnings to the users about incoming password expiration, user exemptions, and more.  For more details, see Manage User Password Expirations by Policy.

WebMail Login Failure Lockout: Updated!

To prevent password guessing attempts using our WebMail login page, LuxSci has long had a system where a user is locked out from logging into WebMail for 5 minutes after 5 unsuccessful login attempts.

This feature has been updated so that administrators can customize how strict this lockout is.  Administrators can choose how many failures result in a lockout (one to twenty), and how long the lockout window is (1 minute to two hours).  All of these configurations help to limit password guessing, especially by automated systems; however, some accounts have specific requirements in this regard.

The password lockout feature applies “per IP address” .. so a user cannot be locked out by another user at another location trying to guess his/her password.  It is also configurable on an account-wide or per-domain basis.

Forced Secure Logins: (existing feature)

Account administrators can always choose to enforce use of SSL for all connections to WebMail and other services (like FTP, POP, IMAP, and SMTP) to ensure that user passwords (and the data itself) are never sent in the clear.

Custom Lost Password Instructions:  New!

Typically, when a user forgets his/her password, s/he can click on a link on the LuxSci login page, fill out a form that asks some information, and then the LuxSci Support Staff verify the user’s identity (manually) based on things such as pre-configured alternate email addresses, phone numbers, and security questions.  Support would then send the user a password reset link.

In some cases, account administrators do not want their users (or specific) users to be directed to Support, but to be given specific instructions for lost passwords.

Administrators can now optionally specify “Lost Password Instructions” account-wide, per-domain, and/or per-user.  Any affected users who request password help from the login page will get these instructions instead of being sent to Support.

Additionally, customers with Private Labeling can now optionally replace the entire “Forgot Password” page (the form asking the user for information) with a custom block of HTML to further simplify and brand the custom instruction process.

Emailed Notices of Failed Logins: Updated!

Users receive emailed notices of login failures to WebMail, POP, IMAP, SMTP, and FTP.  This feature, enabled by default, allows them to be notified quickly of unauthorized login attempts to their account.

Emailed login failure alerts can be enabled/disabled in the user’s preferneces.

In our next release (Scheduled for on or before October 28th), users will be able to turn on or off failure notices on a per-service basis and to specify a custom email address(es) for these notices to be sent to.

Emailed Notices of Successful Logins: New!

Just like the failure notices, users can choose to have notices of successful logins to selected services emailed to a custom email address(es).   While this is disabled by default, it is particularly useful for users that are infrequently used (i.e. administrators) to be informed about use of those accounts.

This feature is also going out in the next release.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.