At the time of this post there are multiple posts that are requesting specific enhancements around Internet Users and Password Security / Policies. Individually these are getting votes as individual ideas. It is time to consolidate these individual requests into a single item where the votes can be aggregated to bring this to IBM's attention. IBM can then look at the overlapping requirements and determine a holistic and robust approach to this increasingly important area that Domino is lacking.
The current posts I could find are:
- Add Password Management capabilities (Expiration) for iNotes/internet users who do not utilize notes clients.
- Password Security / Policy for Internet MUST track history for specified reuse
- Custom Internet Password Policy Enforcement
- Check last 3 password during iNotes/Webmail password change or reset
-Need to customise the password expiration messaging
Suggestions within this post:
- Notification Password will Expire in 'x' Days: This specific post was to be intended to address the fact that an Internet Only user cannot get a notification that their password is going to expire. They ONLY get the Change Password Screen when their password has expired. It seems odd that Domino can recognize an expired password once it has expired but cannot notify a browser user that it will expire in 'x' days. This limitation has been confirmed by IBM Domino Support.
- Minimum Password Age: Many secure systems do not let the user change the password multiple times a day. This is seen as a security risk or an automated attack.
- Initial Setup Expiration: When a new user is setup with an initial password they need to login in 'x' days. This is different than forcing a user to change their password every 'y' days. Audit/Security wants to make sure new users make the initial login to validate they "got" the initial password.
- Notification of Password Change: This is being required by many systems as an insurance that the "real" owner is notified of a password change in case their account get hacked.
Can IBM please remove the second class status of Internet Password Security (as compared to Notes Client Password Security) and make the Password Security Policy Enforcement more encompassing to include all the items above and consider any items not included above and are in the Policy Settings document to see if they can be included (technically)?
Note: Other users should add their needs for Internet Password Security as comments to this Post. I will incorporate them into the main post.