Back to Community Threads
6
Password Requirements
Question asked by John Marx - 11/4/2014 at 8:20 PM
Answered
In the new SmarterMail 13 there are a lot of password options now. There are still a lot of questions regarding this new functionality. For determining my questions below I went to the online help (http://help.smartertools.com/SmarterMail/v13/Default.aspx?p=_SA&v=13.0.5420&lang=en-US&page=systemadmin/frmpasswordrequirements) to try and gather answers prior to posting this.
 
Auto-block Grace Period
  1. What is this?
 
Require password does not match username 
  1. Will this not only match say john@ but also an mail forward of jane@? 
  2. Can we also get this to make all of the aliases as invalid as well?
 
Disable password strength for existing passwords 
  1. What happens if the user doesn't meet the new rules? I can't find if they will be immediately prompted to change to the upgraded standard.
 
Disable outgoing messages for accounts violating password requirements 
  1. Will a user be informed that the emails will not be delivered until upgraded? Will they be queued or do we need to work on instructions for our users to go into their Sent Items and resend the messages?
 
Enable password retrieval 
  1. Is there a way to get a report of users who this would not apply to and/or a way to email these users so that we can provide them a list of instructions to enable this feature?
  2. Can a report be automatically emailed to the domain admins of non-compliance, as well as ability for the overall system administrator for all domains?
 
Prevent commonly used passwords 
  1. What are the commonly used passwords and can we add to them as I know we have users that have common passwords for their companies and they don't want them.
  2. Speaking of companies can this be set on a per-domain basis for a custom list?
 
Disable outgoing SMTP when auto-block grace period ends 
  1. What is this?
 
Other
  1. Can these settings be controlled on a domain-by-domain basis? Being that we host multiple domains for companies a standard for all is not going to work.
  2. Is there a way to make it so that our administrator accounts have more complex requirements?
  3. Is there a way either by looking at an account (better yet both) for know when a user last changed there password?
  4. What determines if an account is locked out?
  5. Is there a way to prevent using the last XX passwords?
  6. If there a way to make XX failed logins lock an account?
  7. Not exactly part of passwords but is there a way to force a domain to use SSL?
 

19 Replies

Reply to Thread
0
Bruce Barnes Replied
11/5/2014 at 7:33 AM
Auto-block Grace Period
  1. What is this?
RESPONSE: The number of days at which the user will be notified that his or her password may be changed. 
 
Require password does not match username 
  1. Will this not only match say john@ but also an mail forward of jane@? 
  2. Can we also get this to make all of the aliases as invalid as well?
RESPONSE: I would hope that this means that the user cannot use any portion of their username in the password, but SmarterTools will have to weigh in on this one.
 
Disable password strength for existing passwords 
  1. What happens if the user doesn't meet the new rules? I can't find if they will be immediately prompted to change to the upgraded standard.
RESPONSE: They will be prompted to change their password only if they use the web interface to login.  You can also run a report of non-compliment passwords and send them e-mail messages warning them of their non-compliance.  We usually do this a couple of times before we change it for them and force them to use the web interface to change their password.
 
Disable outgoing messages for accounts violating password requirements 
  1. Will a user be informed that the emails will not be delivered until upgraded? Will they be queued or do we need to work on instructions for our users to go into their Sent Items and resend the messages?
RESPONSE:  SmarterMail needs to weigh in on this one.
 
Enable password retrieval 
  1. Is there a way to get a report of users who this would not apply to and/or a way to email these users so that we can provide them a list of instructions to enable this feature?
  2. Can a report be automatically emailed to the domain admins of non-compliance, as well as ability for the overall system administrator for all domains?
 
Prevent commonly used passwords 
  1. What are the commonly used passwords and can we add to them as I know we have users that have common passwords for their companies and they don't want them.
  2. Speaking of companies can this be set on a per-domain basis for a custom list?
RESPONSE:  Not stated anywhere.  I would be very careful about setting any password requirements up for a company-by-company basis.  Remember, the server operator, per case law, is ultimately responsible for what happens with the user accounts on their servers and I only see this getting more restrictive.
 
Disable outgoing SMTP when auto-block grace period ends 
  1. What is this?
RESPONSE: All outgoing mail for the user who's password has expired will fail until they change their password.  I really like this one.
 
 
SUMMARY:  I would like the password restrictions to be carried a step further and have an elective choice to be able to disable any word found in a dictionary.  This is the current US CERT and NIST recommendation - if a word is in a dictionary, it cannot be used in a password.  Dictionary attacks are much too easily accomplished with modern computers.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
John Marx Replied
11/5/2014 at 8:09 AM
As always thanks Bruce.
2
Employee Replied
11/5/2014 at 8:37 AM
Employee Post Marked As Answer
Great answers, Bruce.  Just to provide further clarification:
 
Auto-block Grace Period
  1. What is this?
RESPONSE: The number of days at which the user will be notified that his or her password may be changed.
CLARIFICATION:  This field ties in with "Disable outgoing SMTP when auto-block grace period ends".  If that is checked, then after the grace period the account(s) that violate the password policies will have their outgoing SMTP auto-blocked until the password is changed and is compliant.  The "User Notification Timing" is send the violating users emails on the specified days before the auto-grace period ends.
 
Require password does not match username 
  1. Will this not only match say john@ but also an mail forward of jane@? 
  2. Can we also get this to make all of the aliases as invalid as well?
RESPONSE: I would hope that this means that the user cannot use any portion of their username in the password, but SmarterTools will have to weigh in on this one.
CLARIFICATION: Currently, if enabled, the password cannot match the username; john@domain.com would not be able to use john as his password; however, john1 would still be accepted.
 
Disable password strength for existing passwords 
  1. What happens if the user doesn't meet the new rules? I can't find if they will be immediately prompted to change to the upgraded standard.
RESPONSE: They will be prompted to change their password only if they use the web interface to login.  You can also run a report of non-compliment passwords and send them e-mail messages warning them of their non-compliance.  We usually do this a couple of times before we change it for them and force them to use the web interface to change their password.
CLARIFICATION: Simply stated, existing passwords would be "exempt" from new password requirements.
 
Disable outgoing messages for accounts violating password requirements 
  1. Will a user be informed that the emails will not be delivered until upgraded? Will they be queued or do we need to work on instructions for our users to go into their Sent Items and resend the messages?
RESPONSE:  SmarterMail needs to weigh in on this one.
CLARIFICATION:  This option will be removed in the next minor update; its functionality was replaced by auto-block grace period.
 
Prevent commonly used passwords 
  1. What are the commonly used passwords and can we add to them as I know we have users that have common passwords for their companies and they don't want them.
  2. Speaking of companies can this be set on a per-domain basis for a custom list?
RESPONSE:  Not stated anywhere.  I would be very careful about setting any password requirements up for a company-by-company basis.  Remember, the server operator, per case law, is ultimately responsible for what happens with the user accounts on their servers and I only see this getting more restrictive.
CLARIFICATION: There is an XML file containing these commonly used passwords.  It's default location is "C:\Program Files (x86)\SmarterTools\SmarterMail\Service\common_passwords.xml".  You can add to this dictionary.  If removed, SM will rebuild the file with the default built-in common passwords.
 
As for disabling any word found in the dictionary, that would be a feature request.  Requiring passwords to use uppercase, lowercase, numbers, and symbols somewhat makes it a moot point at this time.
 
Disable outgoing SMTP when auto-block grace period ends 
  1. What is this?
RESPONSE: All outgoing mail for the user who's password has expired will fail until they change their password.  I really like this one.
CLARIFICATION: Works in conjunction with auto-block grace period.  If you fail to change your password within the grace period, outgoing SMTP will be blocked when the grace period ends.
 
Also note that the "User Notification Timing" also works with the password expiration option.  The user will be notified via E-mail xx days (as specified in that field) before their password expires.  If the password expires, they will not be able to send outgoing mail until the password is changed.
0
John Marx Replied
11/5/2014 at 9:41 AM
Thank you for the information
1
Employee Replied
11/6/2014 at 10:34 AM
Employee Post
John,
 
You listed a few other password requirement options:
  1. Control password requirements on a domain basis -- I have added this to our feature request list for further discussion with the dev. team.
  2. Have stricter password requirements for admins -- System admins are the only ones that exempt from password requirements; domain admins must adhere to the password policies on their first log-in.  Currently, when a domain is created, the domain admin password is not checked against password requirements.  I have added this task to our feature request list for further discussion with the dev. team.
  3. Add a column to show when the last time an account changed their password -- Currently, we do not have page showing this information.  What is the usefulness of this feature, and where would you like to see this added?
  4. Prevent an account from using the last XX passwords -- This feature is already planned for in a future minor release.
  5. Lock / disable (option for temp / perm) an account after XX failed login attempts -- I have added this to our feature request list for further discussion with the dev. team.
0
John Marx Replied
11/6/2014 at 10:52 AM
Robert,

Seeing the last time I would think in the users list, an email report or both (ideal) would be great. The reason for knowing the last login is if you have a required, or not, password change it's good from a SysAdmin vantage to know when it was last changed. This would allow providing the ability to send emails for people over XX days that they should change, know which ones haven't been changed in XX months/years, etc. For example, every website we create we make a website email account that we use a guid (36 character) password. We have information to change these every 6 months or yearly depending on the client. It would be good to know the last change so that we can change those.
0
Employee Replied
11/6/2014 at 12:09 PM
Employee Post
Wouldn't using the password expiration accomplish the same thing? The users would be notified XX days before expiration according to the "User Notification Timing" setting.
0
John Marx Replied
11/6/2014 at 1:59 PM
The password expiration would for certain users but there are times, per requirements that we cannot change a password (e.g. other systems beyond say a website working with the email for sending).

Having a list that shows allows us, administrators, to work with the software stakeholders of a product. Many of these are non-monitored so unless they are manually changed by an administrator would eventually fall into the no sending rules.

By giving us the control to see visually as well as a report is something we need. Additionally, for one of our clients they have to provide information to a governance board and is why we had to write a custom application specifically for them to keep track of the last password changed and make certain complexity rules are met.
0
Employee Replied
11/6/2014 at 2:22 PM
Employee Post
I can see the validity of this request. I will add it to our features request list for further discussion with the dev. team.
0
John Marx Replied
11/6/2014 at 2:52 PM
Thank you
1
Employee Replied
11/6/2014 at 4:58 PM
Employee Post
Hi John,
 
Bruce and Robert did a great job in answering your questions above. I just wanted to make one note to question #6 about locking an account. SmarterMail does currently offer Brute Force Detection which will temporarily lock a user's account for 5 minutes after 10 failed login attempts. These numbers can be modified in the web.config file by following these steps: Change Login Attempts in SmarterMail
0
M. Hussein Replied
11/6/2014 at 5:52 PM
Why this setting is not available in SmarterMail ( Security Settings ), As editing the web.config file would have to be ( REPEATED ) every time upgrade is installed.
0
Employee Replied
11/7/2014 at 8:10 AM
Employee Post
I believe that this has been requested in the past; however, I wasn't able to find a post in our Community about this. What I'd recommend is creating a new thread with this suggestion as a Proposed Idea. This will allow other users to vote on the feature and bring it to our developers' attention. I'll pass along the suggestion as well.
0
Pam Handshy Replied
11/24/2014 at 5:45 PM
I would like to also request the ability to restrict the use of 'any' part of the username to be used in or as the password. Example: john.smith@domain.com - password: smith22 'would not' be allowed.
0
Jaime Replied
12/16/2014 at 10:55 PM
Robert, where can we see the "User Notification Timing" email or message that is sent to the users? Can we change the text in it? if so, how? If not, I would like to request it, since we would need to add info like our support contact info if the user has any questions.
0
Employee Replied
12/17/2014 at 8:18 AM
Employee Post
Jorge, at this time the system-generated messages are not customizable. The ability to customize these and all system messages has been added to our features request list and will be included in a future release of SM.
0
Jaime Replied
12/17/2014 at 8:31 AM
Thanks Robert, is there a way to see what the message contains? It is very impotant to customize them and even have them translatable since we deal with customers in Mexico and Brazil so the system messages in english might not be understood and its a very important issue.
0
Employee Replied
12/17/2014 at 8:39 AM
Employee Post
Jorge, we understand the importance of customizing the system-generated emails especially for our customers who in turn deal with non-English customers. Until the customization is implemented, you can view your non-compliant customers (SystemAdmin -> Manage -> Password Policy Compliance) and send those customers an e-mail you draft in the appropriate language.
1
Brian A. Replied
4/20/2016 at 7:39 AM
Lock / disable (option for temp / perm) an account after XX failed login attempts -- Has this been added?
 
I understand that there are brute force settings for protocols, but I cannot find a setting for attempts made through webmail interface.  Is there a setting to lock/disable an account after XX failed login attempts?
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Configure SSL/TLS to Secure SmarterMailSmarterMail > Server Configuration and Management
Manually Securing SmarterMail Using Let's Encrypt and Certify the WebSmarterMail > Installation and Configuration
Reset Administrator Username and PasswordSmarterMail > Installation and Configuration
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Windows Mail and SmarterMailSmarterMail > Desktop and Mobile Synchronization