By implementing standard password security policies, OneContact's security against attacks is increased. Here you'll find information about:
Password security policies
The following password policies can be activated on a per instance basis. These are standard windows policies. These policies apply to all onecontact agents and supervisor users (system administrators, administrators and supervisors) – active directory users (windows) are excluded.
The indicated parameters are presented as component parameters.
To keep previous behaviors after upgrade all policies will be disabled. Although, on new installations the default is the standard recommended values.
When a policy is not satisfied a message is presented to the user: “The password does not meet the password policy requirements.” Followed by the policies that are being infringed:
- Enforce password history
- Maximum password age
- Minimum password age
- Minimum password length
- Password must meet complexity requirements
Enforce password history
Prevents users from creating a new password that is the same as their current password or a recently used password. To specify how many passwords are remembered, provide a value. For example, a value of 1 means that only the last password will be remembered, and a value of 5 means that the previous five passwords will be remembered.
Parameter: EnforcePasswordHistory, integer (0-24)
This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.
This policy enables administrators to enhance security by ensuring that old passwords are not reused continually.
Default: 0 (upgrade), 5 (new)
Tip: Use a number that is greater than 1.
Maximum password age
Sets the maximum number of days that a password is valid. After this number of days, the user will have to change the password. The user is directed to a change password screen on login. This policy has no effect for the sip passwords.
Parameter: MaximumPasswordAge, integer (0-999)
This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.
Default: 0 (upgrade), 70 (new)
Tip: Set a maximum password age of 70 days. Setting the number of days too high provides hackers with an extended window of opportunity to crack the password. Setting the number of days too low might be frustrating for users who have to change their passwords too frequently.
Minimum password age
Sets the minimum number of days that must pass before a password can be changed.
Parameter: MinimumPasswordAge, integer (0-MaximumPasswordAge)
This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
Default: 0 (upgrade), 1 (new)
Tip: Set the minimum password age to at least 1 day. By doing so, you require that the user can only change their password once a day. This will help to enforce other settings. For example, if the past five passwords are remembered, this will ensure that at least five days must pass before the user can reuse their original password. If the minimum password age is set to 0, the user can change their password six times on the same day and begin reusing their original password on the same day.
Minimum password length
Specifies the fewest number of characters a password can have.
Parameter: MinimumPasswordLength, integer (1-14)
This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters.
Default: 1 (upgrade), 7 (new)
Tip: Set the length between 8 and 12 characters (provided that they also meet complexity requirements). A longer password is more difficult to crack than a shorter password, assuming the password is not a word or common phrase.
Password must meet complexity requirements
Requires that passwords:
- – (2.4 Minimum password length)
- Contain a combination of at least three of the following characters: uppercase letters, lowercase letters, numbers, symbols (punctuation marks)
- Don't contain the user's user name or full name
Parameter: PasswordComplexity, bool
Default: false (upgrade), true (new)
Account Lockout Policies
Account lockout policies control how and when accounts are locked out of the system. OneContact accounts and sip accounts are treated independtly as different accounts. These policies are described and implemented as follows:
Account Lockout Duration
If someone violates the lockout controls, Account lockout duration sets the length of time the account is locked.
Parameter: AccountLockoutDuration, int (0-99999), minutes
The lockout duration can be set to a specific length of time using a value between 1 and 99999 minutes. Zero value specifies that the account will be indefinitly locked – the administrator must manually unlock the account.
Default: 0 (upgrade and new)
Tip: The best security policy is to lock the account indefinitely by setting the lockout duration to zero. When this is done, only an administrator can unlock the account. This will prevent hackers from trying to access the system again and will force users who are locked out to seek help from an administrator, which is usually a good idea. By talking to the user, the administrator can determine what the user is doing wrong and help the user avoid problems.
Account Lockout Threshold
The Account lockout threshold sets the number of invalid logon attempts that are allowed before an account is locked out. If lockout controls are used they should be set to a value that balances the need to prevent account cracking against the needs of users who are having difficulty accessing their accounts.
Parameter: AccountLockoutThreshold, int
The lockout threshold can be set to any value from 0 to 999. If the lockout threshold is set to zero, accounts will not be locked out due to invalid logon attempts. Any other value sets a specific lockout threshold. Keep in mind that the higher the lockout value, the higher the risk that a hacker may be able to break into a system.
Default: 0 (upgrade) 5 (new)
Reset Account Lockout Threshold After
Every time a logon attempt fails, the system raises the value of a threshold that tracks the number of bad logon attempts. The Reset account lockout threshold after setting determines how long the lockout threshold is maintained. This threshold is reset in one of two ways. If a user logs on successfully, the threshold is reset. If the waiting period for Reset account lockout threshold after has elapsed since the last bad logon attempt, the threshold is also reset.
Parameter: ResetAccountLockoutThresholdAfter, int (1-99999), minutes
Default: 1 (new and upgrade)
Tip: By default, the lockout threshold is maintained for one minute, but any value can be set from 1 to 99,999 minutes. As with Account lockout threshold, select a value that balances security needs against user access needs. A good value is from one to two hours. This waiting period should be long enough to force hackers to wait longer than they want to before trying to access the account again.
User account options
The following settings can be set at the user creation or when editing them:
User Must Change Password at Next Logon (boolean): This option allows you to create a one-time-only password that can get the user started with OneContact. The first time the user logs on to OneContact, he is asked to change the password. This option has no effect over sip passwords. Default: true (on create), false (after upgrade).
Password Never Expires (boolean): specifies whether the password will never expire, and overrides the Maximum password age policy. This setting overrides User must change password at next logon.
Account is disabled (boolean): Specifies whether the selected account is disabled. There is a field for the user account, another for the sip account, in the user and workstation entities.
Account is locked out (boolean): Indicates whether the account is locked out, which means that the user is not able to log on. There is a field for the user account, another for the sip account, in the user and workstation entities.
- If the check box is unavailable and cleared, the account is not currently locked out.
- If this check box is available and selected, the account is currently locked out. You can clear the check box to unlock the account.
- This option cannot be used to actually lock out an account. There is only one way that an account can be locked out: the user tries to log on more than the number of times that are specified in the Account lockout policies. If you want to prevent the use of an account, disable it. A user whose account has been disabled cannot log on until a member of the Administrators group enables the account.
These new settings, with exception of the “Account is locked out”, are available when creating or importing users.
If the ApplyPasswordPoliciesToSIP (boolean) instance parameter is set to true a selected set (exclusions defined ahead) of the password and account lockout policies are applied to both user and agent SIP passwords (sip users are always excluded); if not, they are only applied to user passwords.
The “Maximum password age” password security policies is not applied to the sip passwords – this is because the agent users cannot change their own sip password, so it doesn´t make sense to impose an expiration date. For the same reason the “User must change password on next logon” account option does have effect for the sip password – the user must change its “main” password but not the SIP password.
The sip extension and password, associated with users and workstations, are distinct from the user accounts. The “account is disabled” and “account is locked out” fields are defined for the workstation and user entities – in the case of the user there will be a set of fields for the user account and another for the sip account.
The failed authentication attempts of sip accounts are accounted in a different counters than onecontact failed login attempts – this means that lockout policies also work independently between these different types of accounts.
When OneProxy and/or OneSipConnector, the components responsible for applying these policies to the agent SIP passwords, are not integrated/connected to OneContact (fetching their configurations from the config file), then these policies will be disabled.
- Create or Import Users
- Change or Set Password
- Password Strength Meter
- Generate Password
- Distributing password to the users
- Default users
- Future developments
If the maximum password age is reached the user is directed to a change password screen (except on Supervisor Mobile and Visio Plugin). Only after changing the password, thus complying with the policy, can he proceed with the login.
After login, if the current password is at 80% of the maximum password age, the user is notified that its current password will expire within x days. For OneAgent and OneAgent web the notification is presented in a toast message. For OneSupervisor, a key icon is presented is presented in the lower left status bar.
If the account is locked out the following message appears to the user: “Your account is locked. Please contact your system administrator”.
The following applications must be changed to comply with this requirements:
- OneAgent Web
- OneAgent Mobile
- OneSupervisor Mobile (only login, without change password screen)
- Visio Plugin (only login, without change password screen)
- OneConnectSiebel (login and add change password command to driver)
- Excel Reports (only login)
Create or Import Users
If the password doesn’t meet the password policy requirements a message is presented to the user.
A password strength meter is shown to the user as he types the new password.
When importing user through a csv file, if the provided password don’t comply with the active policies, the user will not be imported. The user has the option (in the import screen) to request the automatic password generation – in this case the password fields in the file will be ignored.
Change or Set Password
When the user is changing it’s own password it must provide the old password, the new password and confirm the new password. To change the password successfully the old password must be correct.
When the password is being set by a different user with appropriate permissions (for example, a supervisor reseting a agent password) the old password is not requested.
If the password doesn’t meet the password policy requirements a message is presented to the user.
A password strength meter is shown to the user as he types the new password. Both in OneAgent, OneAgent Web and OneSupervisor.
Password Strength Meter
The password strength meter will evaluate the following conditions:
- At least one uppercase and one lowercase letter
- At least one number
- At least one special character
- A length of at least six characters
The score will be proportional to the number of conditions that are meet. The score is shown to the user in the form of a color changing bar. The bar size increases with the score. Its color goes from red (weak), to orange (medium), yellow (good) and green (strong).
When creating a user or resetting its password administrators have an option to automatically generate a password that meets the password policies currently in place. It will have the minimum length required and will always meet the complex password policy requirements, even when not active.
Distributing password to the users
Delivering the first passwords to the new users can be a complex task. To help with this logistics OneContact will have an option to email the account details, including the password, to the users upon creation or resetting of their password. This operation can only be performed if the user email is filled in.
To send those emails an smtp account must be configured in OneContact
The default onecontact users (sysadmin and admin) have the “user must change password at next logon” setting active. Their first password will remain equal to the username.
Password complexity – exclude common words (e.g., Password)
Unlock account – self-service