6
Password Requirements
Question asked by John Marx - November 4, 2014 at 8:20 PM
Answered
In the new SmarterMail 13 there are a lot of password options now. There are still a lot of questions regarding this new functionality. For determining my questions below I went to the online help (http://help.smartertools.com/SmarterMail/v13/Default.aspx?p=_SA&v=13.0.5420&lang=en-US&page=systemadmin/frmpasswordrequirements) to try and gather answers prior to posting this.
 
Auto-block Grace Period
  1. What is this?
 
Require password does not match username 
  1. Will this not only match say john@ but also an mail forward of jane@? 
  2. Can we also get this to make all of the aliases as invalid as well?
 
Disable password strength for existing passwords 
  1. What happens if the user doesn't meet the new rules? I can't find if they will be immediately prompted to change to the upgraded standard.
 
Disable outgoing messages for accounts violating password requirements 
  1. Will a user be informed that the emails will not be delivered until upgraded? Will they be queued or do we need to work on instructions for our users to go into their Sent Items and resend the messages?
 
Enable password retrieval 
  1. Is there a way to get a report of users who this would not apply to and/or a way to email these users so that we can provide them a list of instructions to enable this feature?
  2. Can a report be automatically emailed to the domain admins of non-compliance, as well as ability for the overall system administrator for all domains?
 
Prevent commonly used passwords 
  1. What are the commonly used passwords and can we add to them as I know we have users that have common passwords for their companies and they don't want them.
  2. Speaking of companies can this be set on a per-domain basis for a custom list?
 
Disable outgoing SMTP when auto-block grace period ends 
  1. What is this?
 
Other
  1. Can these settings be controlled on a domain-by-domain basis? Being that we host multiple domains for companies a standard for all is not going to work.
  2. Is there a way to make it so that our administrator accounts have more complex requirements?
  3. Is there a way either by looking at an account (better yet both) for know when a user last changed there password?
  4. What determines if an account is locked out?
  5. Is there a way to prevent using the last XX passwords?
  6. If there a way to make XX failed logins lock an account?
  7. Not exactly part of passwords but is there a way to force a domain to use SSL?
 

5 Replies

Reply to Thread
0
Bruce Barnes Replied
November 5, 2014 at 7:33 AM
Auto-block Grace Period
  1. What is this?
RESPONSE: The number of days at which the user will be notified that his or her password may be changed. 
 
Require password does not match username 
  1. Will this not only match say john@ but also an mail forward of jane@? 
  2. Can we also get this to make all of the aliases as invalid as well?
RESPONSE: I would hope that this means that the user cannot use any portion of their username in the password, but SmarterTools will have to weigh in on this one.
 
Disable password strength for existing passwords 
  1. What happens if the user doesn't meet the new rules? I can't find if they will be immediately prompted to change to the upgraded standard.
RESPONSE: They will be prompted to change their password only if they use the web interface to login.  You can also run a report of non-compliment passwords and send them e-mail messages warning them of their non-compliance.  We usually do this a couple of times before we change it for them and force them to use the web interface to change their password.
 
Disable outgoing messages for accounts violating password requirements 
  1. Will a user be informed that the emails will not be delivered until upgraded? Will they be queued or do we need to work on instructions for our users to go into their Sent Items and resend the messages?
RESPONSE:  SmarterMail needs to weigh in on this one.
 
Enable password retrieval 
  1. Is there a way to get a report of users who this would not apply to and/or a way to email these users so that we can provide them a list of instructions to enable this feature?
  2. Can a report be automatically emailed to the domain admins of non-compliance, as well as ability for the overall system administrator for all domains?
 
Prevent commonly used passwords 
  1. What are the commonly used passwords and can we add to them as I know we have users that have common passwords for their companies and they don't want them.
  2. Speaking of companies can this be set on a per-domain basis for a custom list?
RESPONSE:  Not stated anywhere.  I would be very careful about setting any password requirements up for a company-by-company basis.  Remember, the server operator, per case law, is ultimately responsible for what happens with the user accounts on their servers and I only see this getting more restrictive.
 
Disable outgoing SMTP when auto-block grace period ends 
  1. What is this?
RESPONSE: All outgoing mail for the user who's password has expired will fail until they change their password.  I really like this one.
 
 
SUMMARY:  I would like the password restrictions to be carried a step further and have an elective choice to be able to disable any word found in a dictionary.  This is the current US CERT and NIST recommendation - if a word is in a dictionary, it cannot be used in a password.  Dictionary attacks are much too easily accomplished with modern computers.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
2
Robert Emmett Replied
November 5, 2014 at 8:37 AM
Employee Post
Great answers, Bruce.  Just to provide further clarification:
 
Auto-block Grace Period
  1. What is this?
RESPONSE: The number of days at which the user will be notified that his or her password may be changed.
CLARIFICATION:  This field ties in with "Disable outgoing SMTP when auto-block grace period ends".  If that is checked, then after the grace period the account(s) that violate the password policies will have their outgoing SMTP auto-blocked until the password is changed and is compliant.  The "User Notification Timing" is send the violating users emails on the specified days before the auto-grace period ends.
 
Require password does not match username 
  1. Will this not only match say john@ but also an mail forward of jane@? 
  2. Can we also get this to make all of the aliases as invalid as well?
RESPONSE: I would hope that this means that the user cannot use any portion of their username in the password, but SmarterTools will have to weigh in on this one.
CLARIFICATION: Currently, if enabled, the password cannot match the username; john@domain.com would not be able to use john as his password; however, john1 would still be accepted.
 
Disable password strength for existing passwords 
  1. What happens if the user doesn't meet the new rules? I can't find if they will be immediately prompted to change to the upgraded standard.
RESPONSE: They will be prompted to change their password only if they use the web interface to login.  You can also run a report of non-compliment passwords and send them e-mail messages warning them of their non-compliance.  We usually do this a couple of times before we change it for them and force them to use the web interface to change their password.
CLARIFICATION: Simply stated, existing passwords would be "exempt" from new password requirements.
 
Disable outgoing messages for accounts violating password requirements 
  1. Will a user be informed that the emails will not be delivered until upgraded? Will they be queued or do we need to work on instructions for our users to go into their Sent Items and resend the messages?
RESPONSE:  SmarterMail needs to weigh in on this one.
CLARIFICATION:  This option will be removed in the next minor update; its functionality was replaced by auto-block grace period.
 
Prevent commonly used passwords 
  1. What are the commonly used passwords and can we add to them as I know we have users that have common passwords for their companies and they don't want them.
  2. Speaking of companies can this be set on a per-domain basis for a custom list?
RESPONSE:  Not stated anywhere.  I would be very careful about setting any password requirements up for a company-by-company basis.  Remember, the server operator, per case law, is ultimately responsible for what happens with the user accounts on their servers and I only see this getting more restrictive.
CLARIFICATION: There is an XML file containing these commonly used passwords.  It's default location is "C:\Program Files (x86)\SmarterTools\SmarterMail\Service\common_passwords.xml".  You can add to this dictionary.  If removed, SM will rebuild the file with the default built-in common passwords.
 
As for disabling any word found in the dictionary, that would be a feature request.  Requiring passwords to use uppercase, lowercase, numbers, and symbols somewhat makes it a moot point at this time.
 
Disable outgoing SMTP when auto-block grace period ends 
  1. What is this?
RESPONSE: All outgoing mail for the user who's password has expired will fail until they change their password.  I really like this one.
CLARIFICATION: Works in conjunction with auto-block grace period.  If you fail to change your password within the grace period, outgoing SMTP will be blocked when the grace period ends.
 
Also note that the "User Notification Timing" also works with the password expiration option.  The user will be notified via E-mail xx days (as specified in that field) before their password expires.  If the password expires, they will not be able to send outgoing mail until the password is changed.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Robert Emmett Replied
November 6, 2014 at 10:34 AM
Employee Post
John,
 
You listed a few other password requirement options:
  1. Control password requirements on a domain basis -- I have added this to our feature request list for further discussion with the dev. team.
  2. Have stricter password requirements for admins -- System admins are the only ones that exempt from password requirements; domain admins must adhere to the password policies on their first log-in.  Currently, when a domain is created, the domain admin password is not checked against password requirements.  I have added this task to our feature request list for further discussion with the dev. team.
  3. Add a column to show when the last time an account changed their password -- Currently, we do not have page showing this information.  What is the usefulness of this feature, and where would you like to see this added?
  4. Prevent an account from using the last XX passwords -- This feature is already planned for in a future minor release.
  5. Lock / disable (option for temp / perm) an account after XX failed login attempts -- I have added this to our feature request list for further discussion with the dev. team.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Andrea Rogers Replied
November 6, 2014 at 4:58 PM
Employee Post
Hi John,
 
Bruce and Robert did a great job in answering your questions above. I just wanted to make one note to question #6 about locking an account. SmarterMail does currently offer Brute Force Detection which will temporarily lock a user's account for 5 minutes after 10 failed login attempts. These numbers can be modified in the web.config file by following these steps: Change Login Attempts in SmarterMail
Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Brian M. Arlinghaus Replied
April 20, 2016 at 7:39 AM
Lock / disable (option for temp / perm) an account after XX failed login attempts -- Has this been added?
 
I understand that there are brute force settings for protocols, but I cannot find a setting for attempts made through webmail interface.  Is there a setting to lock/disable an account after XX failed login attempts?

Reply to Thread