Martyn Houghton Posted May 15, 2017 Posted May 15, 2017 Can I clarify the the System > Advanced Settings - 'security.guest.xxxxxx' setting are applicable to both the customer and service portals, but on the former if using Single Sign On for the service portal? Also with reference to 'security.guest.passwordPolicy.checkBlacklists' where is the black list maintained from, or is this a centralised platform list maintained by yourselves? Cheers Martyn
TrevorKillick Posted May 15, 2017 Posted May 15, 2017 Hi Martyn security.guest.xxxxxx settings only apply to the Customer Portal the service portal uses security.user.xxxxxx settings. If you have Single Sign on enabled none of these settings are read as Hornbill never sees a users password its all controlled from which ever source your SAML Auth Provider is connected to like AD. I am unsure of the Password Blacklists i will get someone from out platform team to confirm this setting. Kind Regards Trevor Killick
Martyn Houghton Posted May 15, 2017 Author Posted May 15, 2017 @TrevorKillick Thanks for the quick response and clarification on the first part. Cheers Martyn
TrevorKillick Posted May 16, 2017 Posted May 16, 2017 @Martyn Houghton I have confirmed with Platform that the blacklists are internal to our Platform and are updated only by us for all customers. Kind Regards Trevor Killick
Martyn Houghton Posted May 16, 2017 Author Posted May 16, 2017 @TrevorKillick Thanks for the clarification. Cheers Martyn
Martyn Houghton Posted May 16, 2017 Author Posted May 16, 2017 @TrevorKillick Just one thought I presume turning these on they will take affect when the users attempts to change there password next, rather applying them immediately to users existing passwords? Cheers Martyn
Martyn Houghton Posted May 17, 2017 Author Posted May 17, 2017 @TrevorKillick Just one more thought, there does not appear to be any option at this time to expire passwords after a set period of time, therefore if you enable or changes theses settings there is no automated mechanism that will force the users to change their password and comply with them. Is there any plans to provide a password duration expiry facility? Cheers Martyn
Martyn Houghton Posted August 15, 2017 Author Posted August 15, 2017 @TrevorKillick Just wondering if there was any further thoughts/plans to have a password duration expiry option on customer portal accounts, as without this there is no way to enforce/trigger the other password polices on existing accounts, which we have some several thousands off. Cheers Martyn
Martyn Houghton Posted August 29, 2017 Author Posted August 29, 2017 @TrevorKillick, @James Ainsworth Are there any plans in the backlog to add Password Expiry process? Cheers Martyn
TrevorKillick Posted August 29, 2017 Posted August 29, 2017 @Martyn Houghton Regarding changing these settings they will only apply to any future password updates. I will ask Platform and get back to your with a response regarding password expirary. Kind Regards Trevor Killick
Gerry Posted August 29, 2017 Posted August 29, 2017 @Martyn Houghton There is nothing currently in the short term backlog for this. When you say password expiry "process" I guess the devil is in the detail here, as if we have an expiry process you would also want/need a recovery process too right? Can you expand on your use case just so we have a clearer picture of what you are trying to achieve? Thanks Gerry
Martyn Houghton Posted August 29, 2017 Author Posted August 29, 2017 @Gerry I was presuming the existing 'Forgotten Password' process would allow a customer to reset their password and thereby enforce the new password policies on their replacement password. Though thinking about a bit more, it would make sense that label for the link when they attempt to login after the password has expired be changed to 'Password Reset' to match the naming convention used in the email sent out when the current link is used. The scenario is that at the moment we can set all of the password policies available in the settings which will affect new users and existing users changing their passwords, but there is no way to apply this to the existing accounts. Cheers Martyn
Gerry Posted August 29, 2017 Posted August 29, 2017 @Martyn Houghton yeah I think thats the problem though, the forgotten password policy and process is quite different to a password expired policy, the later requires advance notice and options/prompts to change when you log in. While its quite common for internal systems to have this ability, its very unusual to have external/public systems behave in this way - apart from LAN access I cannot remember a time when I have been told my password had expired. LinkedIn was the last one I think a few years back. So your requirement is, you want to be able to change your password policies globally, then have it so the next time a user logs in they are forced to change their portal password? Gerry
Martyn Houghton Posted August 29, 2017 Author Posted August 29, 2017 @Gerry Sort of. If their password is 'compliant' I would not want to force a change on every account. Thinking about it a bit wider, at the moment we provision a user and set their password for them, they are not forced to change the password even though we in affect know what it is at this stage.. Perhaps there should be a flag on a customer portal account to require the password to be changed on next login. This can then be an option when portal account passwords are set either as part of account creation or being reset by the service desk manually. Then the same flag could be used either be updated selectively using a job which evaluates the password against the current polices, manually or in bulk. It would be useful to also have a last login time and last password change field added to the database so that we can monitor and archive/delete accounts which are no longer used. At the moment looking in the database it only holds the lockout time and failed login counts. Cheers Martyn
Gerry Posted August 29, 2017 Posted August 29, 2017 @Martyn Houghton Ok I will add to our list of things to look at, not sure how quickly we can get to this though, we have a lot going on at the moment and of course people are only just coming back after the summer holidays. The problem with this sort of change is it involves multiple teams and changes need to be progressively rolled out up the stack so it will take some time. In any case, we will investigate and plan what is possible and take it from there . Gerry
Martyn Houghton Posted August 29, 2017 Author Posted August 29, 2017 @Gerry Thanks for investigating if it is a possibility. Cheers Martyn
Martyn Houghton Posted March 8, 2018 Author Posted March 8, 2018 @Gerry Has there been any further thought on having the ability to expire customer portal passwords, so that we can ensure they are then complaint with the currently set password policies and also identify stagnant accounts? Cheers Martyn
Martyn Houghton Posted July 23, 2018 Author Posted July 23, 2018 @Gerry, @James Ainsworth Just wondering if there had been any further thought about portal account password expiry, as form an auditing point of view all the other password policies cannot be enforced for existing users. Cheers Martyn
Martyn Houghton Posted August 22, 2018 Author Posted August 22, 2018 @Gerry, @James Ainsworth Is there any update on customer portal account password expiry/force password change on first login? This is becoming a more prominent issue for our security audit as there is no way to force users to change their password either after we a have set it/reset it or on a regular basis, which as per above also means that any changes password policies are not being enforced. Cheers Martyn
James Ainsworth Posted August 22, 2018 Posted August 22, 2018 Hi Martyn, Options for providing this are still being investigated. There are no scheduled changes to provide this as of yet, but I'll let you know if there are any updates. Regards, James
Martyn Houghton Posted August 23, 2018 Author Posted August 23, 2018 @James Ainsworth Thanks for the update. I am wondering how other external support providers who are using the customer portal are ensuring compliance with good practices in terms of securing customer access and their data, or whether its just me Cheers Martyn
Martyn Houghton Posted April 4, 2019 Author Posted April 4, 2019 @James Ainsworth Is there any update on the ability for customer portal passwords to expire, which would then also trigger the application of any update password policies? This is still a reoccurring issue from our Internal Security Audit. Cheers Martyn
James Ainsworth Posted April 5, 2019 Posted April 5, 2019 Hi @Martyn Houghton There is nothing scheduled at the moment as far as I'm aware. I'll let you know if there is any changes in this. Regards, James
Martyn Houghton Posted April 8, 2019 Author Posted April 8, 2019 @James Ainsworth Thanks. I would have thought this would have been a common tender requirement, as without the password expiry all other password polices are mute. Cheers Martyn
Steven Cotterell Posted November 12, 2019 Posted November 12, 2019 @James Ainsworth / @Gerry, Is there any update on Martyn's request about expiring Customer Portal passwords after a configurable period of time. We have been asked this by a new external customer who are very hot on their security. Cheers Steve. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now