Jump to content

Customer Portal - Password Policies


Martyn Houghton

Recommended Posts

Can I clarify the the System > Advanced Settings - 'security.guest.xxxxxx' setting are applicable to both the customer and service portals, but on the former if using Single Sign On for the service portal?

Also with reference to 'security.guest.passwordPolicy.checkBlacklists' where is the black list maintained from, or is this a centralised platform list maintained by yourselves?

Cheers

Martyn

Link to comment
Share on other sites

Hi Martyn

security.guest.xxxxxx settings only apply to the Customer Portal the service portal uses security.user.xxxxxx settings. If you have Single Sign on enabled none of these settings are read as Hornbill never sees a users password its all controlled from which ever source your SAML Auth Provider is connected to like AD. 

I am unsure of the Password Blacklists i will get someone from out platform team to confirm this setting.

Kind Regards

Trevor Killick

Link to comment
Share on other sites

@TrevorKillick

Just one more thought, there does not appear to be any option at this time to expire passwords after a set period of time, therefore if you enable or changes theses settings there is no automated mechanism that will force the users to change their password and comply with them.

Is there any plans to provide a password duration expiry facility?

Cheers

Martyn

Link to comment
Share on other sites

  • 2 months later...
  • 2 weeks later...

@Martyn Houghton

There is nothing currently in the short term backlog for this.  When you say password expiry "process" I guess the devil is in the detail here, as if we have an expiry process you would also want/need a recovery process too right?  Can you expand on your use case just so we have a clearer picture of what you are trying to achieve?

Thanks

Gerry

Link to comment
Share on other sites

@Gerry

I was presuming the existing 'Forgotten Password' process would allow a customer to reset their password and thereby enforce the new password policies on their replacement password. Though thinking about a bit more, it would make sense that label for the link when they attempt to login after the password has expired be changed to 'Password Reset' to match the naming convention used in the email sent out when the current link is used.

The scenario is that at the moment we can set all of the password policies available in the settings which will affect new users and existing users changing their passwords, but there is no way to apply this to the existing accounts.

Cheers

Martyn

Link to comment
Share on other sites

@Martyn Houghton

yeah I think thats the problem though, the forgotten password policy and process is quite different to a password expired policy, the later requires advance notice and options/prompts to change when you log in.  While its quite common for internal systems to have this ability, its very unusual to have external/public systems behave in this way - apart from LAN access I cannot remember a time when I have been told my password had expired.  LinkedIn was the last one I think a few years back.  

So your requirement is, you want to be able to change your password policies globally, then have it so the  next time a user logs in they are forced to change their portal password?

Gerry

Link to comment
Share on other sites

@Gerry

Sort of. If their password is 'compliant' I would not want to force a change on every account.

Thinking about it a bit wider, at the moment we provision a user and set their password for them, they are not forced to change the password even though we in affect know what it is at this stage..

Perhaps there should be a flag on a customer portal account to require the password to be changed on next login. This can then be an option when portal account passwords are set either as part of account creation or being reset by the service desk manually.

Then the same flag could be used either be updated selectively using a job which evaluates the password against the current polices,  manually or in bulk.

It would be useful to also have a last login time and last password change field added to the database so that we can monitor and archive/delete accounts which are no longer used. At the moment looking in the database it only holds the lockout time and failed login counts.

Cheers

Martyn 

Link to comment
Share on other sites

@Martyn Houghton

Ok I will add to our list of things to look at, not sure how quickly we can get to this though, we have a lot going on at the moment and of course people are only just coming back after the summer holidays.  The problem with this sort of change is it involves multiple teams and changes need to be progressively rolled out up the stack so it will take some time.  In any case, we will investigate and plan what is possible and take it from there .

Gerry

Link to comment
Share on other sites

  • 6 months later...
  • 4 months later...
  • 5 weeks later...

@Gerry, @James Ainsworth

Is there any update on customer portal account password expiry/force password change on first login? This is becoming a more prominent issue for our security audit as there is no way to force users to change their password either after we a have set it/reset it or on a regular basis, which as per above also means that any changes password policies are not being enforced.

Cheers

Martyn

Link to comment
Share on other sites

  • 7 months later...
  • 7 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...