The data on your site is secured through multiple layers of protection. One of those security layers involves member passwords. For maximum security of your site, each member must protect their password.
A site administrator can further protect site integrity by encouraging users to follow good password practices. Good practices include:
not writing down passwords
not sending passwords in email
not using passwords that are easy to guess, such as your birthday or phone number
creating passwords that are a mix of letters, numbers, and other characters
changing passwords frequently
Using administration tools in your site, you control password settings so that the web office service enforces many of these secure password practices. From the Administration > Security page, set the password requirements your users must adhere to.
Depending on the level of security your site needs, you can choose from standard to very high levels of password security.
To define password security options:
Select Administration > Security from the Menu.
Scroll down to the Security Level section.
There are many password parameters available. If you're not sure which option to pick, choose one of the three pre-set password security options at the top of this section: Standard, Medium, or High security. This chart illustrates the security options that correspond to these settings.
|
|
Standard |
Medium |
High |
|
Minimum password length |
7 characters |
8 characters |
10 characters |
|
Password expiration |
No |
90 days |
30 days |
|
Password complexity |
No |
No |
Yes |
|
Never email passwords |
No |
No |
Yes |
|
Account lockout |
No |
No |
No |
|
Disable "Remember Me" |
No |
No |
Yes |
Or you can customize your Password Security options. Following is a description of each available option.
Passwords that are short, that is, are a small number of characters, are more vulnerable to hackers. For this reason, all web office passwords must be at least six characters long. You can require that the minimum password length be even greater; up to fifteen characters.
This password rule applies to new and changed passwords only. So for example if you increase the minimum password length to ten characters, existing users with passwords that are only six characters long will still be able to log in using their six-character passwords; the rule will be enforced the next time the users change their passwords.
To ensure maximum password security, it's a good idea to change your password frequently. By default, users are not ever required to change their passwords. But you can require them to change passwords regularly by enabling this option.
Choose to automatically expire passwords at the following intervals:
30 days
45 days
90 days
6 months
Once a user has been logging in with the same password for the interval you specify, they will be prompted to change the password the next time they log in.
To make passwords that are easy to remember, many people create passwords that contain their name or email address, or are a string of familiar digits, such as their phone number or birthday. The problem is, simple passwords like this are easy for hackers to guess, and could compromise the security of your site. The most effective passwords do not contain parts of your name and are "complex."
If you have highly sensitive data on your site, the administrator can ensure that all users are employing "complex" passwords. Complex passwords must meet all of the following requirements.
The password may not contain your site login name.
The password may not contain your first name or last name as it is listed in the web office Members list.
The password may not contain your primary email address as it appears in the Members list.
The password must be made up of three out of four of the following:
upper case letters (A-Z)
lower case letters (a-z)
digits (0-9)
the following non-alphanumeric
characters:
[ ] { } < > \ / | ; : ' , . ? - _ ~ * @
If members attempt to create a password that does not meet these requirements, they receive an error message and must create a different password before they can log in.
Here are some examples of passwords
that would meet the complexity requirements described above:
3BlindMice
Apple2
CallMe@Work
James(007)Bond
921and/or625
C3PO-n-R2D2
WhereUFrom?
987ZyX321
When a password appears in an email message, it is a potential security loophole. For the utmost password security, you can require that passwords are never mailed from the web office service.
Please note that when you enforce the "Never send passwords by email" option, the following features are affected:
Forgot your password feature: When a user forgets their password, the only way they will be able to access the site is for an web office administrator to assign a new password to the user. Users who forget their passwords will not have the recourse of using the "Forgot my password" link, as this feature functions by emailing the password to the user. For the same reason, users will not be permitted to retrieve their password by contacting to the Help Desk.
Add members feature: By default, there are three ways to add new members to your web office. However if you enable the "Never send passwords by email" security setting, the only way to add new members is to create new member accounts. The administrative options to "Invite users to join" and "Add members by invitation" will not be available, as they function by emailing passwords to new users.
Admins can enable the "Account Lockout" feature to prevent hackers from going to the web office login page and repeatedly attempting to guess member passwords.
When Account Lockout is enabled, users who enter an incorrect login name or password three times in a row are "locked out" of the site for 30 minutes. The site administrators immediately receive an email notification that this user has been locked out of the site. The member also receives a notification email, in the event that someone else caused the lockout.
During this 30-minute lockout period the user is not permitted to attempt another login. However the administrator can reset the user's password, giving them immediate access to the site.
To learn how an administrator can reset a member's password, see Changing member passwords.
By default, users can check the option to "Remember me" on the login page so they do not have to enter their login name and password every time they visit the site. As this could be considered a security loophole, administrators have the option do disable this feature for all their members.
When you disable "Remember me," this option does not appear on the login page. Any users who had been using this feature must now enter their login name and password each next time they access the site.
Administrators are authorized to change member passwords. Administrators may need to reset member passwords in the event they are "locked out" of the site.
Note: Administrators are permitted to change member passwords only; administrators may not change the password of another administrator.
To change a member password:
Click Members in the Menu. A list of Members appears.
In the Members list, find the name of the member whose password you would like to reset.
Click the member name, and then select Options > Change Password from the Command Bar.
This displays the Login Options for this member.
Enter the new password, confirm the password, and then click Save in the Command Bar.
You can now notify the user of their new password. For maximum site security, it is best to avoid sending passwords by email.
If your site requires a Registration Code to join, anyone who knows your site's Registration Code can register to become a member of your site. Increase your site's security by changing the Registration Code regularly.
To change the Registration Code:
Select Administration > Security in the Menu, and scroll to the Registration Code section of the Security page.
Enter the new code in the Registration Code and
Confirm Code text boxes.
The Registration Code is case-sensitive and can be made up of letters,
numbers, or both.
Once you've changed the Registration Code, no one can join your site using the old Registration Code. So if some people have received an invitation to join your site, but have not yet signed up, you must send them another invitation which contains the new Registration Code.