New Password Policy

Due to some recent security breakdowns with our customer and their end-user accounts, we are now implement a stricter policy when it comes to password creation. All passwords are now required to have one number, one capital letter, one lower-case letter and cannot be or contain the username. Also, all passwords must be from 6 to 12 characters.

[Garreg]

?

From when ... i.e. will existing passwords cease to function after XXX date? hence we (and all our clients) needs to change them by them?

[jmbeach]

I'm guessing it's only for new passwords. My guess is it would be nearly impossible to get all users to change existing passwords

Also, this doesn't affect email passwords, right? They currently only require a minimum of 5 characters.

It only affects new passwords. People currently with weak passwords need to change them as we are considering auditing current passwords due to recent security concerns.

[Garreg]

Phew!!!!!

with in excess of 80 domains - the thought of editing passwords for FTP / CP / email etc.... (as I have diffrent for each) was making me reach for the old whisky jar.....

[Allen]

Does the new rule also apply to databases?

Allen

[jmbeach]

Matt, can you also confirm which passwords will need to take on the new requirements? As I said before, email passwords are currently at 5 characters, and typically people don't want strong passwords on their email accounts - makes them too hard to remember.

Is this only for CP/FTP?

[somereseller]

Thank you for taking these kind of issues seriously!

I believe mail passwords are affected as well. All other passwords are definitly affected.

You should ALWAYS use a strong password. They aren't necessarily hard to remember. Your other alternative is to get your stuff hacked, deleted, and if our server's are damaged, YOU are responsible.

[dwhite]

Thank you for doing this guys. I STRONGLY support this decision, and have been making my customers use an even more stringent policy for the last three years.

For those of you who are concerned about the admittedly daunting task of reviewing and updating passwords for many domains, I suggest you look on it as a bit of insurance against breakins because of weak passwords. The havoc and downtime that can be caused could take you far longer to recover, plus it can be a PR nightmare.

For stuff like this, I look at it as an opportunity to make a positive contact with my customer, and assuring them that I am looking out for their security. Everytime I do it, I get either more work or a surge of referrals.

Just my 2cp =)

EDIT: To use a good online resource for relatively strong password generator, go to http://www.winguides.com/security/password.php

[Brasil]

hehe...you guys are up to soooo many complaints!!!

"To have one number, one capital letter, one lower-case letter and cannot be or contain the username"

I can just see people going "what´s that again???"

or

A flood of complaints saying "what´s wrong with the cp, it doesn´t work, it gives me an error..."

And by the fifth message they click on to it.

Honestly, what seems simple here is just wild talk out there. But I guess we´ll have to configure an autoresponse for this sure same re-ocurring question.

Never mind...we´ll make it look good, as dwhite said.

Well, it should tell you right on the page what it needs to be. Look in the status bar. If your javascript works right, it should tell you.

[TicoGrande]

I would like to make a strong suggestion.

This new password policy is GOOD, but I notice there has been no change whatever to the Signup Form text content.

It still says "The password should be at least 5 characters long.

For security reasons it is recommended to use a combination of small letters, caps and numbers. After the registration, you can change the password at any time. For security purposes it is recommended that you do so on a regular basis."

If a bad password is entered, a pop up tells the real story, but I'd like to see the TEXT part corrected to not waste customer's time.

Also, they may not bother to read carefully the wording in the pop-up (which is adequate, BTW... but since it is wrong in the text area... wel you get the point)

Can you please make that change to the main text area?

Thanks

Tim

[TicoGrande]

Note to Alan

Yes... Databases are affected.

[javier011]

Quote:

Originally posted by TicoGrande
I would like to make a strong suggestion.

This new password policy is GOOD, but I notice there has been no change whatever to the Signup Form text content.

It still says "The password should be at least 5 characters long.

For security reasons it is recommended to use a combination of small letters, caps and numbers. After the registration, you can change the password at any time. For security purposes it is recommended that you do so on a regular basis."

If a bad password is entered, a pop up tells the real story, but I'd like to see the TEXT part corrected to not waste customer's time.

Also, they may not bother to read carefully the wording in the pop-up (which is adequate, BTW... but since it is wrong in the text area... wel you get the point)

Can you please make that change to the main text area?

Thanks

Tim

yup, this will need to be done!