Password security policies

By implementing standard password security policies, OneContact's security against attacks is increased. Here you'll find information about:

 

Password security policies

The following password policies can be activated on a per instance basis. These are standard windows policies. These policies apply to all onecontact agents and supervisor users (system administrators, administrators and supervisors) – active directory users (windows) are excluded.

If the ApplyPasswordPoliciesToSIP (boolean) instance parameter is set to true the password and account lockout policies are applied to both user and agent SIP passwords (sip users are always excluded); if not, they are only applied to user passwords. When OneProxy and/or OneSipConnector, the components responsible for applying these policies to the agent SIP passwords, are not integrated/connected to OneContact (fetching their configurations from the config file), then these policies will be disabled.

The indicated parameters are presented as component parameters.

To keep previous behaviors after upgrade all policies will be disabled. Although, on new installations the default is the standard recommended values.

When a policy is not satisfied a message is presented to the user: “The password does not meet the password policy requirements.” Followed by the policies that are being infringed:

 

Enforce password history

Enforce password history, prevents users from creating a new password that is the same as their current password or a recently used password. To specify how many passwords are remembered, provide a value. For example, a value of 1 means that only the last password will be remembered, and a value of 5 means that the previous five passwords will be remembered.

Parameter: EnforcePasswordHistory, integer (0-24)

This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.

This policy enables administrators to enhance security by ensuring that old passwords are not reused continually.

Tip: Use a number that is greater than 1.

 

Maximum password age

Maximum password age, sets the maximum number of days that a password is valid. After this number of days, the user will have to change the password. The user is directed to a change password screen on login.

Parameter: MaximumPasswordAge, integer (0-999)

This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.

Tip: Set a maximum password age of 70 days. Setting the number of days too high provides hackers with an extended window of opportunity to crack the password. Setting the number of days too low might be frustrating for users who have to change their passwords too frequently.

 

Minimum password age

Minimum password age, sets the minimum number of days that must pass before a password can be changed.

Parameter: MinimumPasswordAge, integer (0-MaximumPasswordAge)

This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.

The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.

Tip: Set the minimum password age to at least 1 day. By doing so, you require that the user can only change their password once a day. This will help to enforce other settings. For example, if the past five passwords are remembered, this will ensure that at least five days must pass before the user can reuse their original password. If the minimum password age is set to 0, the user can change their password six times on the same day and begin reusing their original password on the same day.

 

Minimum password length

Minimum password length, specifies the fewest number of characters a password can have.

Parameter: MinimumPasswordLength, integer (1-14)

This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters.

Tip: Set the length between 8 and 12 characters (provided that they also meet complexity requirements). A longer password is more difficult to crack than a shorter password, assuming the password is not a word or common phrase.

 

Password must meet complexity requirements

Requires that passwords:

  • Contain a combination of at least three of the following characters: uppercase letters, lowercase letters, numbers, symbols (punctuation marks)
  • Don't contain the user's user name or full name

Parameter: PasswordComplexity, bool; Enable/disable policy.

 

Account Lockout Policies

Account lockout policies control how and when accounts are locked out of the system. These policies are described and implemented as follows:

 

Account Lockout Duration

If someone violates the lockout controls, Account lockout duration sets the length of time the account is locked.

Parameter: AccountLockoutDuration, int (0-99.999), minutes

The lockout duration can be set to a specific length of time using a value between 1 and 99,999 minutes. Zero value specifies that the account will be indefinitly locked – the administrator must manually unlock the account.

Tip: The best security policy is to lock the account indefinitely by setting the lockout duration to zero. When this is done, only an administrator can unlock the account. This will prevent hackers from trying to access the system again and will force users who are locked out to seek help from an administrator, which is usually a good idea. By talking to the user, the administrator can determine what the user is doing wrong and help the user avoid problems.

 

Account Lockout Threshold

The Account lockout threshold sets the number of invalid logon attempts that are allowed before an account is locked out. If lockout controls are used they should be set to a value that balances the need to prevent account cracking against the needs of users who are having difficulty accessing their accounts.

Parameter: AccountLockoutThreshold, int

The lockout threshold can be set to any value from 0 to 999. If the lockout threshold is set to zero, accounts will not be locked out due to invalid logon attempts. Any other value sets a specific lockout threshold. Keep in mind that the higher the lockout value, the higher the risk that a hacker may be able to break into a system.

 

Reset Account Lockout Threshold After

Every time a logon attempt fails, the system raises the value of a threshold that tracks the number of bad logon attempts. The Reset account lockout threshold after setting determines how long the lockout threshold is maintained. This threshold is reset in one of two ways. If a user logs on successfully, the threshold is reset. If the waiting period for Reset account lockout threshold after has elapsed since the last bad logon attempt, the threshold is also reset.

Parameter: ResetAccountLockoutThresholdAfter, int (1-99,999), minutes

Tip: By default, the lockout threshold is maintained for one minute, but any value can be set from 1 to 99,999 minutes. As with Account lockout threshold, select a value that balances security needs against user access needs. A good value is from one to two hours. This waiting period should be long enough to force hackers to wait longer than they want to before trying to access the account again.

 

User account options

The following settings can be set at the user creation (agents, supervisors, system administrators and administrators) or when editing them:

User Must Change Password at Next Logon (boolean): This option allows you to create a one-time-only password that can get the user started with OneContact. The first time the user logs on to OneContact, he is asked to change the password. Default: true (on create), false (after upgrade).

Password Never Expires (boolean): specifies whether the password will never expire, and overrides the Maximum password age policy. This setting overrides User must change password at next logon.

Account is disabled (boolean): Specifies whether the selected account is disabled.

Account is locked out (boolean): Indicates whether the account is locked out, which means that the user is not able to log on.

  • If the check box is unavailable and cleared, the account is not currently locked out.
  • If this check box is available and selected, the account is currently locked out. You can clear the check box to unlock the account.
  • This option cannot be used to actually lock out an account. There is only one way that an account can be locked out: the user tries to log on more than the number of times that are specified in the Account lockout policies. If you want to prevent the use of an account, disable it. A user whose account has been disabled cannot log on until a member of the Administrators group enables the account.

These new settings, with exception of the “Account is locked out”, are available when creating or importing users.

 

Operations

 

Login

If the maximum password age is reached the user is directed to a change password screen (except on Supervisor Mobile and Visio Plugin). Only after changing the password, thus complying with the policy, can he proceed with the login.

After login, if the current password is at 80% of the maximum password age, the user is notified that its current password will expire within x days. For OneAgent and OneAgent web the notification is presented in a toast message. For OneSupervisor, a key icon is presented is presented in the lower left status bar.

If the account is locked out the following message appears to the user: “Your account is locked. Please contact your system administrator”.

The following applications must be changed to comply with this requirements:

  • OneAgent
  • OneAgent Web
  • OneAgent Mobile
  • OneSupervisor
  • OneSupervisor Mobile (only login, without change password screen)
  • Visio Plugin (only login, without change password screen)
  • OneConnectSiebel (login and add change password command to driver)
  • Excel Reports (only login)

 

Create or Import Users

If the password doesn’t meet the password policy requirements a message is presented to the user.

A password strength meter is shown to the user as he types the new password.

When importing user through a csv file, if the provided password don’t comply with the active policies, the user will not be imported. The user has the option (in the import screen) to request the automatic password generation – in this case the password fields in the file will be ignored.

 

Change or Set Password

When the user is changing it’s own password it must provide the old password, the new password and confirm the new password. To change the password successfully the old password must be correct.

When the password is being set by a different user with appropriate permissions (for example, a supervisor reseting a agent password) the old password is not requested.

. If the password doesn’t meet the password policy requirements a message is presented to the user.

A password strength meter is shown to the user as he types the new password. Both in OneAgent, OneAgent Web and OneSupervisor.

 

Password Strength Meter

The password strength meter will evaluate the following conditions:

  • At least one uppercase and one lowercase letter
  • At least one number
  • At least one special character
  • A length of at least six characters

The score will be proportional to the number of conditions that are meet. The score is shown to the user in the form of a color changing bar. The bar size increases with the score. Its color goes from red (weak), to orange (medium), yellow (good) and green (strong).

 

Generate Password

When creating a user or resetting its password administrators have an option to automatically generate a password that meets the password policies currently in place. It will have the minimum length required and will always meet the complex password policy requirements, even when not active.

 

Distributing password to the users

Delivering the first passwords to the new users can be a complex task. To help with this logistics OneContact will have an option to email the account details, including the password, to the users upon creation or resetting of their password. This operation can only be performed if the user email is filled in.

To send those emails an smtp account must be configured in OneContact.

 

Note: The default OneContact users (sysadmin and admin) have the “user must change password at next logon” setting active. Their first password will remain equal to the username.