Enforce stronger member passwords
Thank you for your attention!
"You can't! It's impossible! I'm far too busy, so ask me now before I can become sane." - Edna "E" Mode
Dena Silver commented
Our site was recently attacked and after a security assessment our consultant made the strong recommendation that we ask our members to update their passwords BUT also to ask WA to tighten their password requirements.
From the cyber security Consultant:
The Member Portal does not enforce complex passwords. According to Wild Apricot’s password settings page, the only requirement for user passwords is a minimum length of 7 characters. This allows users to choose very weak passwords for their accounts and can allow attacks to comprise those accounts with password guessing.
While it is not possible to configure the Member Portal’s password setting to a stronger setting, a support ticket should be created to request stronger passwords. You should contact Wild Apricot to request the ability to enforce stronger passwords for users.
Recommends the following settings for complex passwords:
Increase the password length from 7 to 10 characters
Require users to use upper and lower case letters
Require users to use special characters in their password
Johannes van Berkel commented
We need stronger passwords (password policy) and / or Two Factor Authentication ASAP for at least all the admin users!!!!
FSGW webmaster commented
None of these security suggestions have yet been implemented. That is completely unacceptable. WA appears to be acting like they can trade off security features against functionality features. That is false. Security is part of the foundation under everything, along with reliability. Get smart, Wild Apricot, pay some real attention to user login security.
Just wondering if there has been any progression on this?
There are three issues:
Passwords are being sent in cleartext in an email
Generated passwords are not being forced to be changed on first login
Passwords do not have any form of forced complexity other than 7 character length (I tested with the same character 7 times and it was accepted).
1. If Wild Apricot is going to send passwords in emails, members must be forced to change on log in.
2. Require stronger passwords! Longer or more complex.
The password situation makes me a bit sick and I think a lot of members decline to share info on the site because the password log in is so weak. Every time I consider the state of passwords on Wild Apricot I consider leaving and finding a more secure solution for managing member data.
Trent Colbert commented
+1 whats the point of protecting shared data like a directory if one person's password can bring the whole thing out in the open
I am currently evaluating the product and have been happy with everything I've seen except passwords. I can't seem to find anything about forcing stronger passwords except this thread. Since this is not a feature that is currently available, does anyone have any recommendations about what I can do to force members to create stronger passwords? Tech Support sent me your way.
Jodi Roberts commented
I would like there to be other features related to password security as well. For example, security questions. Right now, from what I understand, if a member forgets password s/he simply requests a new one. Then they get an emailed link to reset. Well if someone hacks into their email, they can easily reset their wa password. Please strengthen password security through either security questions or a setting that requires admin. resets.
Brian Frankel commented
My comment/reply is YES, this is needed and important. ASAP!
Admin can set password policy, system changes places, and to many attempts triggers a system block.
Also, if possible, restrictions by geographic region could be a huge plus. If I have no members in Russia, it would be great to disable that region.
You can look at Amazon Web Services as a great example of password policy.
I'm casting my vote for this feature - and just as Apricot Kernel described it. I would prioritize it as...
* allow admin enable/disable password strength setting (to a default strength)
* admin can set password strength (maybe just 5 preset settings, with none being the least)
* lockout for 10+ failed login attempts
In all cases, enforce only for new contacts or password changes. Don't affect existing users.
I agree. The solutions above sound perfect.
It is fairly standard now to have at least a basic password enforcement protocol. I would expect no less for our membership data.
Yes please! Your suggestion sounds fantastic!
Evgeny Zaritovskiy commented
Any comments or votes?
As far as I can see, we are talking about the following:
1) Site admin has a password policy page where he can define if he wants to control how strong password should be, how many attempts are allowed before blocking login in ability and where to send e-mail in this case. There is also an option to NOT force and restrictions for password (as it works now).
2) If any restriction policy is defined, system changes all places where new password can be set and forces to comply new password to the site password policy
3) If login block is defined (after a number of tries) and member failed this number of times, system blocks the members from further logins attempts and shows him corresponding message (that he needs to contact admin), sends email to member's email and copy to site admin
Dmitry Buterin commented
For now we do not have any of this. I will move this to the wishlist so that we can collect feedback and prioritize.
Is there enforcement of minimum password length? I see no indication of this.
I would expect that a minimum password length be enforced and preferably checked for common bad passwords (e.g. abc123 ). Configurable length would be nice, but a global minimum length of like 8 chars would help.
Is there an automatic lockout for repeated failed login attempts? I can't tell, but if there is it would ease my mind. If so, after how many?
I think this is a security risk. If your organization has 50 or more members, there is almost a 100% probability that someone manually set their password to one of the commonly known weak passwords (http://en.wikipedia.org/wiki/Password_strength ). Password strength should always be shown when manually changing your password and there should be an admin option to require strong passwords.
If someone could sneak into the site via a member's weak password, they would have access to the Member Directory and all information at the "Anyone" or "Members" level. I would suggest limiting information at either of those levels by default; users can manually change their profile to allow more information to be seen in the directory.