'Disable password strength for existing passwords' does not work
Problem reported by CCWH - 6/13/2015 at 11:11 AM
Hello all,
Firstly, I know this is not best practice...just bear with me!
We have taken on a new client which have their own SM server.  We will be migrating all of their domains across to our SM instances, however, in the meantime we have implemented an updated password policy...as there wasn't one previously.  However, they will still be adding users until we migrate, which will be in the coming months....so, we decided to modify the password policy but also enable 'Disable password strength for existing passwords' so that this didn't initially effect existing users....however this did not work!  In fact, all users who didn't meet the password policy received the 'Password policy violation' email!  Each and every one of them...as all of them had bad password choices!  This is a different matter.
So, anyone else seen this?  Does the check box for 'Disable password strength for existing passwords' actually do something entirely different to what I think it does? i.e. enable password policy for any new mailboxes but leaves the old unsecure ones alone?
Any clarification would be great :-)
This is in SM 13.4 Pro by the way.

5 Replies

Reply to Thread
Scarab Replied
This is a known issue. Not sure if it ever got fixed in SM 14 or not, but this problem snuck into SM as of v13.3.5535. This was reported back in this thread:
Scarab Replied
As to the second part of your question: The function 'Disable password strength for existing passwords' allows existing passwords to continue to violate the Password Policy which is still enforced on any newly created accounts (basically a grandfather clause).
CCWH Replied
I can confirm this issue still exists in SM v14 then :-(
Employee Replied
Employee Post
Can admins please verify if the "Disable outgoing SMTP when auto-grace period ends" option is also checked when you have "Disable password strength for existing passwords" enabled?  To clarify, if the "Disable outgoing SMTP" option is unchecked, then any new user or change to an existing password would have to meet the password requirements.  All existing passwords would "ignore" the new requirements.  However, if you have "Disable outgoing SMTP when auto-block grace period ends" it essentially overrides the "Disable password strength for existing passwords" option.  The server will check all passwords against the password requirements and notify violating users according to the "User Notification Timing" rule specified.
The "Disable outing SMTP" option was devised to alert password-violating users that they need to update their passwords within XX number of days.  This is so admins are not inundated with tickets if password changes want immediately into effect.
Are there any scenarios in which admins would want to both of those options enabled simultaneously?
Scarab Replied
The only options we do not have (and have not ever) enabled in SECURITY > PASSWORD REQUIREMENTS are "Password Expiration" and "Disable outgoing SMTP when auto-block grace period ends".
After the first time that User Notifications were automatically sent out to all existing users who did not meet password requirements (despite having "Disable password strength for existing passwords" checked) which occurred after installing the v13.3.5535 upgrade, we set our User Notification Timing to 365 days in fear of a repeat. It hasn't sent the automated notifications since upgrading to two different v14 versions, but personally won't know for sure if the problem persists until March 2016 when the User Notification Timing variable has passed.
(Thankfully you have allowed us to alter the automated User Notifications in v14 so we preemptively updated ours with letterhead, signatures, F.A.Q. links, css and html so it looks legit and less likely to cause customer backlash if it automatically goes out again.) 

Reply to Thread