Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
public:passwd_change [2020-12-08 14:52] – [for Domain account [D]] vesely | public:passwd_change [2023-03-27 09:51] – vesely |
---|
Because of security measure, CERGE-EI distinguishes between __network (domain) passwords__ and __mailserver passwords__. | Because of security measure, CERGE-EI distinguishes between __network (domain) passwords__ and __mailserver passwords__. |
| |
As a result, there are different passwords for: | As a result, there are |
| <font inherit/inherit;;inherit;;#ffff00>different passwords</font> for your: |
| |
* your **domain account **//**ad.cerge-ei.cz**// (Active Directory) used for network logon, VPN, web, TAS etc. [D] | * **Domain Account **//**ad.cerge-ei.cz**// (Active Directory) used for network logon, VPN, web, TAS etc. [D] |
* your **Zimbra mail exchange** server account [X] | * **Zimbra Mail exchange** server account [X] |
* your **Zimbra archive mail** server account (if available) [A] | * **Zimbra Archive mail** server account (if available) [A] |
| ===== Reset Password Guidelines ===== |
===== Guidelines ===== | |
| |
==== for Domain account [D] ==== | ==== for Domain account [D] ==== |
| |
| {{:public:pasted:20230214-163051.png?280x49}} |
| |
//Username is usualy in the format **nsurname** (first letter of name + surname, max. 8 characters. e.g. jdoe, bsprings, …). *// | //Username is usualy in the format **nsurname** (first letter of name + surname, max. 8 characters. e.g. jdoe, bsprings, …). *// |
| |
There are two basic ways how you can change your domain account: | === Change password === |
| |
* **the first way: Windows login page**<WRAP round center tip 100%>Press Ctrl+Alt+Delete → click “Change a password…” , type your old password followed by a new password as indicated, and then type the new password again to confirm it.</WRAP> | There are two basic ways how you can change your domain account password: |
* **the second way: Password Self-Service Portal ** (experimental)<WRAP round center tip 100%> Go to the address [[https://portal.cerge-ei.cz/pwm|https://portal.cerge-ei.cz/pwm]] and log with your domain account. You can also **reset forgotten password** if necessary (you have to have your mobile phone registered at the portal in advance to be able reset password via SMS). | |
(Please note, that there is a transition process of gradual enabling of 'older' user accounts to use this Self-Service Portal. If you wish to use this feature, send your inquiry to HELPDESK and we enable your account for this Self-service portal) | * the first way: **Windows login page**<WRAP round center tip 100%>Press Ctrl+Alt+Delete → click “Change a password…” , type your old password followed by a new password as indicated, and then type the new password again to confirm it. |
</WRAP> | |
* You can find out your username at the self-service portal → click //[Forgotten User Name]// button at the Password Self-Service Portal | </WRAP> |
| |
| * the second way: **Password Self-Service Portal **<WRAP round center tip 100%> Go to the address **[[https://portal.cerge-ei.cz/pwm|https://portal.cerge-ei.cz/pwm]]** and log with your domain account. |
| |
| </WRAP> * You can find out your username at the self-service portal → click //[Forgotten User Name]// button at the Password Self-Service Portal |
| |
| === Reset password === |
| |
| <WRAP round center important 100%>You can also **reset forgotten password** if necessary. You have to have your **mobile phone registered** at the portal in advance to be able reset password via SMS. If you do not have mobile registered yet, you may send registration request to helpdesk@cerge-ei.cz |
| |
| </WRAP> |
| |
See [[:public:user_accounts|User Accounts]] page for more details… | See [[:public:user_accounts|User Accounts]] page for more details… |
| |
==== Email Accounts Passwords ==== | ==== Email Accounts Passwords ==== |
| |
| {{:public:pasted:20230214-163625.png?280x61}} |
| |
=== for Zimbra email Exchange [X] === | === for Zimbra email Exchange [X] === |
| |
| {{:public:pasted:20230214-163743.png}} |
| |
| There are two basic ways how you can change your Zimbra Mailserver account password: |
| |
[[https://mail.cerge-ei.cz</font|Server: https://mail.cerge-ei.cz</font]]> | [[https://mail.cerge-ei.cz</font|Server: https://mail.cerge-ei.cz</font]]> |
| |
Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] | Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] <WRAP round center tip 100%>__**PWMX - Self-service Portal**__ Go to the address [[https://portal.cerge-ei.cz/pwmx|https://portal.cerge-ei.cz/pwmx]] and log with your Zimbra account. |
| |
| User name is in short format (e.g. **jnovak**). |
| |
| You can also **reset forgotten password** at the PWMX Portal if necessary |
| |
| **Important!** You need to have ** mobile phone number registered at the portal** in advance to be able reset password via SMS (Pager attribute) |
| |
| </WRAP> |
| |
=== for Zimbra Archive [A] === | === for Zimbra Archive [A] === |
| |
[[https://mailarch.cerge-ei.cz</font|Server: https://mailarch.cerge-ei.cz</font]]>(experimental/pilot phase) <WRAP round center tip 100%>__**PWMA - Self-service Portal**__ Go to the address [[https://portal.cerge-ei.cz/pwma|https://portal.cerge-ei.cz/pwma]] and log with your Archive Zimbra account. You can also **reset forgotten password** at the PWMA Portal if necessary **Important!** You need to have ** mobile phone number registered at the portal** in advance to be able reset password via SMS. </WRAP> | {{:public:pasted:20230214-163833.png}} |
| |
=== Kerio Mailserver [K] === | [[https://mailarch.cerge-ei.cz</font|Server: https://mailarch.cerge-ei.cz</font]]> <WRAP round center tip 100%>__**PWMA - Self-service Portal**__ Go to the address [[https://portal.cerge-ei.cz/pwma|https://portal.cerge-ei.cz/pwma]] and log with your Archive Zimbra account. |
| |
Use Kerio webmail ([[https://mbox.cerge-ei.cz/|https://mbox.cerge-ei.cz/]]) | User name is in short format (e.g. **jnovak**). |
| |
===== FACTS / HINTS ===== | You can also **reset forgotten password** at the PWMA Portal if necessary |
| |
| **Important!** You need to have ** mobile phone number registered at the portal** in advance to be able reset password via SMS. (Pager attribute) |
| |
| </WRAP> |
| |
| ---- |
| |
* **One account for all services** (called Domain Account). There is **only ****one**** login name and password** which serves **for** almost **all applications** and services at CERGE-EI (Login to computer; Network shares, CEIS; CMS; Reporting; internal web pages; printers etc.) Mostly the password is common also for Email Server Zimbra - including Webmail, SMTP and IMAP access; * You can have an **independent password for email** - coordinate accounts separation with the IT office in advance (older accounts are still synced between email and domain) * **Do not change the email password via Zimbra webmail** to make it independent, it could lock your network account. (Unless you are the person with the **independent email password**. This case use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] ) * Password may be changed **ONLY ONCE per day**. * **Passwords must meet complexity requirements**<WRAP round center important 60%> <font 11.0pt/11;;#27ae60;;inherit>Please understand, that it is important to comply with the following rules: * Passwords must not contain the user's name or username; * Passwords must contain characters from the following four categories: uppercase characters, lowercase characters, digits, other characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ * Must be at least 9 characters long.</WRAP> * **Passwords remembered by email clients can <font inherit/inherit;;red;;inherit>LOCK YOUR ACCOUNT** * Account is temporarily** locked after several unsuccessful logon attempts** with a wrong password! * **Email clients** (like Thunderbird or Outlook), **smartphones** and tablets or **web browsers** (like Firefox or Chrome) **allow password to be remembered**. * **<font inherit/inherit;;red;;inherit>BE AWARE that**</font> **<font inherit/inherit;;red;;inherit>SMARTPHONES</font>**<font inherit/inherit;;red;;inherit>**usually**</font><font inherit/inherit;;red;;inherit>** use remembered password **</font><font inherit/inherit;;red;;inherit>**repeatedly **</font>regardless of its validity which results in the **account lockdown**. | |
* **Plan well before you change your password! **Recall all devices or applications with stored passwords (especially smartphones and tablets) in advance. | |
* **Immediately after the password change**, the client password in your mail, smartphone, tablet **must be changed too**. | |
* **What to do, if you find out that your AD account or mailbox is locked?** | |
* **Try to find the reason.** Have you made many unsuccessful attempts? Have you changed your password? Is your smartphone/tablet active? | |
* **Stop or power off any possible source of wrong passwords**, e.g. running mail client, browser, smartphone or tablet. | |
* **Wait a required ****time****period** (until automatic account unlock applies) | |
* **Check/change password settings in all client applications.** Mainly smartphones don't allow to change/save the new password without checking it on the server (It's impossible with locked account). | |
* **Email client usually requires both IMAP (incoming) and SMTP (outgoing) passwords to be set** | |
===== MORE DETAILED INFORMATION ===== | ===== MORE DETAILED INFORMATION ===== |
| |
**Locking the account and mailbox** \\ \\ | ==== Locking the account and mailbox ==== |
Account is temporarily locked after several unsuccessful logon attempts with wrong password to avoid abuse and brute force password breaking. \\ | Account is temporarily locked after several unsuccessful logon attempts with wrong password to avoid abuse and brute force password breaking. \\ |
There are three significant parameters of this feature: | There are three significant parameters of this feature: |
Smartphones usually use remembered password repeatedly regardless of its validity. Than you can easily lock the mailbox unintentionally.</WRAP> | Smartphones usually use remembered password repeatedly regardless of its validity. Than you can easily lock the mailbox unintentionally.</WRAP> |
| |
__**Threshold parameters - Active Directory**__ \\ \\ | ==== Threshold parameters - Active Directory ==== |
The Active Directory (shortly AD) serves as authentication authority for local network shares, desktop login, internal web pages, CEIS, CMS, Reporting etc. \\ \\ | The Active Directory (shortly AD) serves as authentication authority for local network shares, desktop login, internal web pages, CEIS, CMS, Reporting etc. \\ \\ |
Account lockout duration: **3 minutes** \\ | Account lockout duration: **3 minutes** \\ |
Account lockout threshold: **7 invalid logon attempts** \\ | Account lockout threshold: **7 invalid logon attempts** \\ |
Account lockout counter reset: **after 3 minutes** \\ \\ __**Threshold parameters - Zimbra mailer**__ \\ \\ | Account lockout counter reset: **after 3 minutes** |
| |
| ==== Threshold parameters - Zimbra mailer ==== |
Number of consecutive failed logons allowed: **10** \\ | Number of consecutive failed logons allowed: **10** \\ |
Time to lockout the account: **30 minutes** \\ | Time to lockout the account: **30 minutes** \\ |
Although the AD account is locked earlier, it is also quickly unlocked. If the attack over the mailer persists, the lock on the mailer is activated for a longer period and produces no new lock of the AD account. | Although the AD account is locked earlier, it is also quickly unlocked. If the attack over the mailer persists, the lock on the mailer is activated for a longer period and produces no new lock of the AD account. |
| |
| ===== FACTS / HINTS ===== |
| |
| * **One account for all services** (called Domain Account). There is **only ****one**** login name and password** which serves **for** almost **all applications** and services at CERGE-EI (Login to computer; Network shares, CEIS; CMS; Reporting; internal web pages; printers etc.) Password may be changed **ONLY ONCE per day**. |
| * Usually you have an **independent password for Email Server Zimbra** - including Webmail, SMTP and IMAP access; This case you can change the email password via Zimbra webmail. Than you can have two different passwords (recommended mode). Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] ) |
| * <del>If you have an **older account** at CERGE-EI you can still have the **password synced between email and domain**. Coordinate accounts separation with the IT office in advance. __Do not change the email password via Zimbra webmail to make it independent, it could lock your network account.__ </del> * **Passwords must meet complexity requirements** |
| * Passwords **must not contain the user's name or username** |
| * Passwords **must contain characters from the following four categories**: |
| * uppercase characters, |
| * lowercase characters, |
| * digits, |
| * other characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ |
| * **Must be at least 9 characters long ** |
| * **Passwords remembered by email clients can |
| <font inherit/inherit;;red;;inherit>LOCK YOUR ACCOUNT</font> ** |
| * Account is temporarily** locked after several unsuccessful logon attempts** with a wrong password! |
| * **Email clients** (like Thunderbird or Outlook), **smartphones** and tablets or **web browsers** (like Firefox or Chrome) **allow password to be remembered** and can repeatedly lock the account if password does not match. |
| <font inherit/inherit;;red;;inherit>**BE AWARE that SMARTPHONES usually** use remembered password repeatedly</font> **regardless of its validity** which results in the **account lockdown**. |
| * **Plan well before you change your password! **Recall all devices or applications with stored passwords (especially smartphones and tablets) in advance. |
| * **Immediately after the password change**, the client password in your mail, smartphone, tablet **must be changed too**. |
| * **What to do, if you find out that your AD account or mailbox is locked?** |
| * **Try to find the reason.** Have you made many unsuccessful attempts? Have you changed your password? Is your smartphone/tablet active? |
| * **Stop or power off any possible source of wrong passwords**, e.g. running mail client, browser, smartphone or tablet. |
| * **Wait a required ****time****period** (until automatic account unlock applies) |
| * **Check/change password settings in all client applications.** Mainly smartphones don't allow to change/save the new password without checking it on the server (It's impossible with locked account). |
| * **Email client usually requires both IMAP (incoming) and SMTP (outgoing) passwords to be set** |
===== Links ===== | ===== Links ===== |
| |
More complex information is available in the [[:public:user_accounts|User Accounts and Password usage]] article. | More complex information is available in the [[:public:user_accounts|User Accounts and Password usage]] article. |
| |
| -.- |
| |
| {{:public:pasted:20230316-122144.png}} |
| |
| |