public:passwd_change

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Next revisionBoth sides next revision
public:passwd_change [2023-02-14 16:26] veselypublic:passwd_change [2023-02-14 16:43] vesely
Line 9: Line 9:
   * your **Zimbra archive mail**  server account (if available) [A]   * your **Zimbra archive mail**  server account (if available) [A]
  
-===== Guidelines =====+===== Reset Password Guidelines =====
  
 ==== for Domain account [D] ==== ==== for Domain account [D] ====
 +
 +{{:public:pasted:20230214-163051.png?280x49}}
  
 //Username is usualy in the format **nsurname**  (first letter of name + surname, max. 8 characters. e.g. jdoe, bsprings, …). *// //Username is usualy in the format **nsurname**  (first letter of name + surname, max. 8 characters. e.g. jdoe, bsprings, …). *//
Line 17: Line 19:
 There are two basic ways how you can change your domain account: There are two basic ways how you can change your domain account:
  
-  * → the first way: **Windows login page**<WRAP round center tip 100%>Press Ctrl+Alt+Delete → click “Change a password…” , type your old password followed by a new password as indicated, and then type the new password again to confirm it.</WRAP> +  * the first way: **Windows login page** \\ <WRAP round center tip 100%>Press Ctrl+Alt+Delete → click “Change a password…” , type your old password followed by a new password as indicated, and then type the new password again to confirm it. \\ </WRAP> 
-  * → the second way: **Password Self-Service Portal **  (experimental)<WRAP round center tip 100%> Go to the address **[[https://portal.cerge-ei.cz/pwm|https://portal.cerge-ei.cz/pwm]]** and log with your domain account. You can also **reset forgotten password**  if necessary (you have to have your mobile phone registered at the portal in advance to be able reset password via SMS). </WRAP>+  * the second way: **Password Self-Service Portal ** \\ <WRAP round center tip 100%> Go to the address **[[https://portal.cerge-ei.cz/pwm|https://portal.cerge-ei.cz/pwm]]** and log with your domain account. You can also **reset forgotten password**  if necessary (you have to have your mobile phone registered at the portal in advance to be able reset password via SMS). \\ </WRAP>
  
-<WRAP round center info 100%> Please note, that there is a transition process of gradual enabling of 'older' user accounts to use the Self-Service Portal. If you wish to use this feature, send your request to the HELPDESK email and we will enable your account for this Self-service portal immediately. </WRAP> * You can find out your username at the self-service portal → click //[Forgotten User Name]//  button at the Password Self-Service Portal+* You can find out your username at the self-service portal → click //[Forgotten User Name]//  button at the Password Self-Service Portal
  
 See [[:public:user_accounts|User Accounts]] page for more details… See [[:public:user_accounts|User Accounts]] page for more details…
  
 ==== Email Accounts Passwords ==== ==== Email Accounts Passwords ====
 +
 +{{:public:pasted:20230214-163625.png?280x61}}
  
 === for Zimbra email Exchange [X] === === for Zimbra email Exchange [X] ===
 +
 +{{:public:pasted:20230214-163743.png}}
  
 [[https://mail.cerge-ei.cz</font|Server: https://mail.cerge-ei.cz</font]]> [[https://mail.cerge-ei.cz</font|Server: https://mail.cerge-ei.cz</font]]>
Line 34: Line 40:
 User name is in short format (e.g. **jnovak**). User name is in short format (e.g. **jnovak**).
  
-You can also **reset forgotten password**  at the PWMX Portal if necessary **Important!**  You need to have ** mobile phone number registered at the portal**  in advance to be able reset password via SMS.+You can also **reset forgotten password**  at the PWMX Portal if necessary 
 + 
 +**Important!**  You need to have ** mobile phone number registered at the portal**  in advance to be able reset password via SMS (Pager attribute)
  
 </WRAP> </WRAP>
Line 40: Line 48:
 === for Zimbra Archive [A] === === for Zimbra Archive [A] ===
  
-[[https://mailarch.cerge-ei.cz</font|Server: https://mailarch.cerge-ei.cz</font]]>(experimental/pilot phase) <WRAP round center tip 100%>__**PWMA - Self-service Portal**__  Go to the address [[https://portal.cerge-ei.cz/pwma|https://portal.cerge-ei.cz/pwma]] and log with your Archive Zimbra account.+{{:public:pasted:20230214-163833.png}} 
 + 
 +[[https://mailarch.cerge-ei.cz</font|Server: https://mailarch.cerge-ei.cz</font]]> <WRAP round center tip 100%>__**PWMA - Self-service Portal**__  Go to the address [[https://portal.cerge-ei.cz/pwma|https://portal.cerge-ei.cz/pwma]] and log with your Archive Zimbra account.
  
 User name is in short format (e.g. **jnovak**). User name is in short format (e.g. **jnovak**).
  
-You can also **reset forgotten password**  at the PWMA Portal if necessary **Important!**  You need to have ** mobile phone number registered at the portal**  in advance to be able reset password via SMS. </WRAP>+You can also **reset forgotten password**  at the PWMA Portal if necessary 
 + 
 +**Important!**  You need to have ** mobile phone number registered at the portal**  in advance to be able reset password via SMS. (Pager attribute) 
 + 
 +</WRAP> 
 + 
 +---- 
 + 
 +===== MORE DETAILED INFORMATION ===== 
 + 
 +==== Locking the account and mailbox ==== 
 + 
 +Account is temporarily locked after several unsuccessful logon attempts with wrong password to avoid abuse and brute force password breaking. \\ There are three significant parameters of this feature: 
 + 
 +  * permissible number of failed attempts; 
 +  * time window of fails; 
 +  * timeout of unlocking. 
 + 
 +The account is locked if the number of allowed fails is exceeded. Failed attempts are counted during the time window. If logon attempts with wrong password stop, the counter is reset after the time window is over. If the account is locked, after the quarantine time it is unlocked again. \\  \\ <WRAP round center box important 60%>**Special warning for smartphone users** 
 + 
 +Smartphones usually use remembered password repeatedly regardless of its validity. Than you can easily lock the mailbox unintentionally.</WRAP> 
 + 
 +==== Threshold parameters - Active Directory ==== 
 + 
 +The Active Directory (shortly AD) serves as authentication authority for local network shares, desktop login, internal web pages, CEIS, CMS, Reporting etc. \\  \\ Account lockout duration: **3 minutes** \\ Account lockout threshold: **7 invalid logon attempts** \\ Account lockout counter reset: **after 3 minutes** 
 + 
 +==== Threshold parameters - Zimbra mailer ====
  
-===   ===+Number of consecutive failed logons allowed: **10** \\ Time to lockout the account: **30 minutes** \\ Time window in which the failed logons must occur to lock the account: **1 hour** \\  \\ Although the AD account is locked earlier, it is also quickly unlocked. If the attack over the mailer persists, the lock on the mailer is activated for a longer period and produces no new lock of the AD account.
  
 ===== FACTS / HINTS ===== ===== FACTS / HINTS =====
Line 52: Line 88:
   * **One account for all services**  (called Domain Account). There is **only ****one**** login name and password**  which serves **for**  almost **all applications**  and services at CERGE-EI (Login to computer; Network shares, CEIS; CMS; Reporting; internal web pages; printers etc.) Password may be changed **ONLY ONCE per day**.   * **One account for all services**  (called Domain Account). There is **only ****one**** login name and password**  which serves **for**  almost **all applications**  and services at CERGE-EI (Login to computer; Network shares, CEIS; CMS; Reporting; internal web pages; printers etc.) Password may be changed **ONLY ONCE per day**.
   * Usually you have an **independent password for Email Server Zimbra**  - including Webmail, SMTP and IMAP access; This case you can change the email password via Zimbra webmail. Than you can have two different passwords (recommended mode). Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] )   * Usually you have an **independent password for Email Server Zimbra**  - including Webmail, SMTP and IMAP access; This case you can change the email password via Zimbra webmail. Than you can have two different passwords (recommended mode). Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] )
-  * If you have an **older account**  at CERGE-EI you can still have the **password synced between email and domain**. Coordinate accounts separation with the IT office in advance. __Do not change the email password via Zimbra webmail to make it independent, it could lock your network account.__+  * <del>If you have an **older account**  at CERGE-EI you can still have the **password synced between email and domain**. Coordinate accounts separation with the IT office in advance. __Do not change the email password via Zimbra webmail to make it independent, it could lock your network account.__ </del>
  
   * **Passwords must meet complexity requirements**   * **Passwords must meet complexity requirements**
Line 72: Line 108:
   * **Check/change password settings in all client applications.**  Mainly smartphones don't allow to change/save the new password without checking it on the server (It's impossible with locked account).   * **Check/change password settings in all client applications.**  Mainly smartphones don't allow to change/save the new password without checking it on the server (It's impossible with locked account).
   * **Email client usually requires both IMAP (incoming) and SMTP (outgoing) passwords to be set**   * **Email client usually requires both IMAP (incoming) and SMTP (outgoing) passwords to be set**
-===== MORE DETAILED INFORMATION ===== 
- 
-**Locking the account and mailbox** \\  \\ 
-Account is temporarily locked after several unsuccessful logon attempts with wrong password to avoid abuse and brute force password breaking. \\ 
-There are three significant parameters of this feature: 
- 
-  * permissible number of failed attempts; 
-  * time window of fails; 
-  * timeout of unlocking. 
- 
-The account is locked if the number of allowed fails is exceeded. Failed attempts are counted during the time window. If logon attempts with wrong password stop, the counter is reset after the time window is over. If the account is locked, after the quarantine time it is unlocked again. \\  \\ 
-<WRAP round center box important 60%>**Special warning for smartphone users** 
- 
-Smartphones usually use remembered password repeatedly regardless of its validity. Than you can easily lock the mailbox unintentionally.</WRAP> 
- 
-__**Threshold parameters - Active Directory**__  \\  \\ 
-The Active Directory (shortly AD) serves as authentication authority for local network shares, desktop login, internal web pages, CEIS, CMS, Reporting etc. \\  \\ 
-Account lockout duration: **3 minutes** \\ 
-Account lockout threshold: **7 invalid logon attempts** \\ 
-Account lockout counter reset: **after 3 minutes** \\  \\ __**Threshold parameters - Zimbra mailer**__  \\  \\ 
-Number of consecutive failed logons allowed: **10** \\ 
-Time to lockout the account: **30 minutes** \\ 
-Time window in which the failed logons must occur to lock the account: **1 hour** \\  \\ 
-Although the AD account is locked earlier, it is also quickly unlocked. If the attack over the mailer persists, the lock on the mailer is activated for a longer period and produces no new lock of the AD account. 
- 
 ===== Links ===== ===== Links =====
  
  • /var/www/html/dokuwiki/data/pages/public/passwd_change.txt
  • Last modified: 2023-04-21 12:46
  • by marp