| Both sides previous revision Previous revision Next revision | Previous revision |
| public:passwd_change [2020-12-08 14:54] – old revision restored (2020-12-08 15:40) vesely | public:passwd_change [2024-11-01 13:13] (current) – [for Domain account [D]] jnov |
|---|
| Because of security measure, CERGE-EI distinguishes between __network (domain) passwords__ and __mailserver passwords__. | Because of security measure, CERGE-EI distinguishes between __network (domain) passwords__ and __mailserver passwords__. |
| |
| As a result, there are different passwords for: | As a result, there are |
| | <font inherit/inherit;;inherit;;#ffff00>different passwords</font> for your: |
| |
| * your **domain account **//**ad.cerge-ei.cz**// (Active Directory) used for network logon, VPN, web, TAS etc. [D] | * **Domain Account **//**ad.cerge-ei.cz**// (Active Directory) used for PC/network logon, Moodle/CMS, CEIS, VPN, internal web, TAS etc. [D] |
| * your **Zimbra mail exchange** server account [X] | * **Zimbra Mail exchange** server account [X] |
| * your **Zimbra archive mail** server account (if available) [A] | * **Zimbra Archive mail** server account (if available) [A] |
| | ===== Reset Password Guidelines ===== |
| ===== Guidelines ===== | |
| |
| ==== for Domain account [D] ==== | ==== for Domain account [D] ==== |
| | |
| | {{:public:pasted:20230214-163051.png?280x49}} |
| |
| //Username is usualy in the format **nsurname** (first letter of name + surname, max. 8 characters. e.g. jdoe, bsprings, …). *// | //Username is usualy in the format **nsurname** (first letter of name + surname, max. 8 characters. e.g. jdoe, bsprings, …). *// |
| |
| There are two basic ways how you can change your domain account: | **Password policy** |
| | |
| | * Password is case sensitive. \\ |
| | * Must be at least 9 characters long. \\ |
| | * Must include at least 4 letters. \\ |
| | * Must include at least 1 number. \\ |
| | * Must have at least 1 symbol (non letter or number) character. \\ |
| | * Must have at least 1 lowercase letter. \\ |
| | * Must have at least 1 uppercase letter. \\ |
| | * Must not include any of the following values: test pass 1234 4321 0000 cerge \\ |
| | * Must not include part of your name or user name. \\ |
| | * Must not include a common word or commonly used sequence of characters. \\ |
| | * 24 Latest passwords remembered. |
| | |
| | === Change password === |
| | |
| | There are two basic ways how you can change your domain account password: |
| | |
| | * the first way: **Windows login page**<WRAP round center tip 100%>Press Ctrl+Alt+Delete → click “Change a password…” , type your old password followed by a new password as indicated, and then type the new password again to confirm it. |
| | |
| | </WRAP> |
| | |
| | * the second way: **Password Self-Service Portal **<WRAP round center tip 100%> Go to the address **[[https://portal.cerge-ei.cz/pwm|https://portal.cerge-ei.cz/pwm]]** and log with your domain account. |
| | |
| | </WRAP> * You can find out your username at the self-service portal → click //[Forgotten User Name]// button at the Password Self-Service Portal |
| | |
| | === Reset password === |
| | |
| | <WRAP round center important 100%>You can also **reset forgotten password** if necessary. You have to have your **mobile phone registered** at the portal in advance to be able reset password via SMS. If you do not have mobile registered yet, you may send registration request to helpdesk@cerge-ei.cz |
| |
| * **the first way: Windows login page**<WRAP round center tip 100%>Press Ctrl+Alt+Delete → click “Change a password…” , type your old password followed by a new password as indicated, and then type the new password again to confirm it.</WRAP> | |
| * **the second way: Password Self-Service Portal ** (experimental)<WRAP round center tip 100%> Go to the address [[https://portal.cerge-ei.cz/pwm|https://portal.cerge-ei.cz/pwm]] and log with your domain account. You can also **reset forgotten password** if necessary (you have to have your mobile phone registered at the portal in advance to be able reset password via SMS). | |
| (Please note, that there is a transition process of gradual enabling of 'older' user accounts to use this Self-Service Portal. If you wish to use this feature, send your inquiry to HELPDESK and we enable your account for this Self-service portal) | |
| </WRAP> | </WRAP> |
| * You can find out your username at the self-service portal → click //[Forgotten User Name]// button at the Password Self-Service Portal | |
| |
| See [[:public:user_accounts|User Accounts]] page for more details… | See [[:public:user_accounts|User Accounts]] page for more details… |
| |
| ==== Email Accounts Passwords ==== | ==== Email Accounts Passwords ==== |
| | |
| | {{:public:pasted:20230214-163625.png?280x61}} |
| |
| === for Zimbra email Exchange [X] === | === for Zimbra email Exchange [X] === |
| |
| [[https://mail.cerge-ei.cz</font|Server: https://mail.cerge-ei.cz</font]]> | {{:public:pasted:20230214-163743.png}} |
| |
| Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] | There are two basic ways how you can change your Zimbra Mailserver account password: |
| | |
| | * the first way: Access [[https://mail.cerge-ei.cz|Zimbra Webmail]] ([[https://mail.cerge-ei.cz|https://mail.cerge-ei.cz]])<WRAP round center tip 100%>See [[:public:emai:zimbra_password|Zimbra Password change ]] for detailed instructions.</WRAP> |
| | |
| | * |
| | |
| | the second way: Use [[https://portal.cerge-ei.cz/pwmx|PWMX - Self-service Portal]] for Zimbra Mail Exchange:<WRAP round center tip 100%>__**PWMX - Self-service Portal**__ Go to the address [[https://portal.cerge-ei.cz/pwmx|https://portal.cerge-ei.cz/pwmx]] and log with your Zimbra account. |
| | |
| | You can also **reset forgotten password** at the PWMX Portal if necessary |
| | |
| | User name is in short format (e.g. **jnovak**). |
| | |
| | **Important!** You need to have ** mobile phone number registered at the portal** in advance to be able reset password via SMS (Pager attribute) |
| | |
| | </WRAP> |
| |
| === for Zimbra Archive [A] === | === for Zimbra Archive [A] === |
| |
| [[https://mailarch.cerge-ei.cz</font|Server: https://mailarch.cerge-ei.cz</font]]>(experimental/pilot phase) <WRAP round center tip 100%>__**PWMA - Self-service Portal**__ Go to the address [[https://portal.cerge-ei.cz/pwma|https://portal.cerge-ei.cz/pwma]] and log with your Archive Zimbra account. You can also **reset forgotten password** at the PWMA Portal if necessary **Important!** You need to have ** mobile phone number registered at the portal** in advance to be able reset password via SMS. </WRAP> | {{:public:pasted:20230214-163833.png}} |
| |
| === Kerio Mailserver [K] === | [[https://mailarch.cerge-ei.cz</font|Server: https://mailarch.cerge-ei.cz</font]]> <WRAP round center tip 100%>__**PWMA - Self-service Portal**__ Go to the address [[https://portal.cerge-ei.cz/pwma|https://portal.cerge-ei.cz/pwma]] and log with your Archive Zimbra account. |
| |
| Use Kerio webmail ([[https://mbox.cerge-ei.cz/|https://mbox.cerge-ei.cz/]]) | User name is in short format (e.g. **jnovak**). |
| |
| ===== FACTS / HINTS ===== | You can also **reset forgotten password** at the PWMA Portal if necessary |
| | |
| | **Important!** You need to have ** mobile phone number registered at the portal** in advance to be able reset password via SMS. (Pager attribute) |
| | |
| | </WRAP> |
| | |
| | ---- |
| |
| * **One account for all services** (called Domain Account). There is **only ****one**** login name and password** which serves **for** almost **all applications** and services at CERGE-EI (Login to computer; Network shares, CEIS; CMS; Reporting; internal web pages; printers etc.) Mostly the password is common also for Email Server Zimbra - including Webmail, SMTP and IMAP access; * You can have an **independent password for email** - coordinate accounts separation with the IT office in advance (older accounts are still synced between email and domain) * **Do not change the email password via Zimbra webmail** to make it independent, it could lock your network account. (Unless you are the person with the **independent email password**. This case use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] ) * Password may be changed **ONLY ONCE per day**. * **Passwords must meet complexity requirements**<WRAP round center important 60%> <font 11.0pt/11;;#27ae60;;inherit>Please understand, that it is important to comply with the following rules: * Passwords must not contain the user's name or username; * Passwords must contain characters from the following four categories: uppercase characters, lowercase characters, digits, other characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ * Must be at least 9 characters long.</WRAP> * **Passwords remembered by email clients can <font inherit/inherit;;red;;inherit>LOCK YOUR ACCOUNT** * Account is temporarily** locked after several unsuccessful logon attempts** with a wrong password! * **Email clients** (like Thunderbird or Outlook), **smartphones** and tablets or **web browsers** (like Firefox or Chrome) **allow password to be remembered**. * **<font inherit/inherit;;red;;inherit>BE AWARE that**</font> **<font inherit/inherit;;red;;inherit>SMARTPHONES</font>**<font inherit/inherit;;red;;inherit>**usually**</font><font inherit/inherit;;red;;inherit>** use remembered password **</font><font inherit/inherit;;red;;inherit>**repeatedly **</font>regardless of its validity which results in the **account lockdown**. | |
| * **Plan well before you change your password! **Recall all devices or applications with stored passwords (especially smartphones and tablets) in advance. | |
| * **Immediately after the password change**, the client password in your mail, smartphone, tablet **must be changed too**. | |
| * **What to do, if you find out that your AD account or mailbox is locked?** | |
| * **Try to find the reason.** Have you made many unsuccessful attempts? Have you changed your password? Is your smartphone/tablet active? | |
| * **Stop or power off any possible source of wrong passwords**, e.g. running mail client, browser, smartphone or tablet. | |
| * **Wait a required ****time****period** (until automatic account unlock applies) | |
| * **Check/change password settings in all client applications.** Mainly smartphones don't allow to change/save the new password without checking it on the server (It's impossible with locked account). | |
| * **Email client usually requires both IMAP (incoming) and SMTP (outgoing) passwords to be set** | |
| ===== MORE DETAILED INFORMATION ===== | ===== MORE DETAILED INFORMATION ===== |
| |
| **Locking the account and mailbox** \\ \\ | ==== Locking the account and mailbox ==== |
| Account is temporarily locked after several unsuccessful logon attempts with wrong password to avoid abuse and brute force password breaking. \\ | Account is temporarily locked after several unsuccessful logon attempts with wrong password to avoid abuse and brute force password breaking. \\ |
| There are three significant parameters of this feature: | There are three significant parameters of this feature: |
| Smartphones usually use remembered password repeatedly regardless of its validity. Than you can easily lock the mailbox unintentionally.</WRAP> | Smartphones usually use remembered password repeatedly regardless of its validity. Than you can easily lock the mailbox unintentionally.</WRAP> |
| |
| __**Threshold parameters - Active Directory**__ \\ \\ | ==== Threshold parameters - Active Directory ==== |
| The Active Directory (shortly AD) serves as authentication authority for local network shares, desktop login, internal web pages, CEIS, CMS, Reporting etc. \\ \\ | The Active Directory (shortly AD) serves as authentication authority for local network shares, desktop login, internal web pages, CEIS, CMS, Reporting etc. \\ \\ |
| Account lockout duration: **3 minutes** \\ | Account lockout duration: **3 minutes** \\ |
| Account lockout threshold: **7 invalid logon attempts** \\ | Account lockout threshold: **7 invalid logon attempts** \\ |
| Account lockout counter reset: **after 3 minutes** \\ \\ __**Threshold parameters - Zimbra mailer**__ \\ \\ | Account lockout counter reset: **after 3 minutes** |
| | |
| | ==== Threshold parameters - Zimbra mailer ==== |
| Number of consecutive failed logons allowed: **10** \\ | Number of consecutive failed logons allowed: **10** \\ |
| Time to lockout the account: **30 minutes** \\ | Time to lockout the account: **30 minutes** \\ |
| Although the AD account is locked earlier, it is also quickly unlocked. If the attack over the mailer persists, the lock on the mailer is activated for a longer period and produces no new lock of the AD account. | Although the AD account is locked earlier, it is also quickly unlocked. If the attack over the mailer persists, the lock on the mailer is activated for a longer period and produces no new lock of the AD account. |
| |
| | ===== FACTS / HINTS ===== |
| | |
| | * **One account for all services** (called Domain Account). There is **only ****one**** login name and password** which serves **for** almost **all applications** and services at CERGE-EI (Login to computer; Network shares, CEIS; CMS; Reporting; internal web pages; printers etc.) Password may be changed **ONLY ONCE per day**. |
| | * Usually you have an **independent password for Email Server Zimbra** - including Webmail, SMTP and IMAP access; This case you can change the email password via Zimbra webmail. Than you can have two different passwords (recommended mode). Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] ) |
| | * <del>If you have an **older account** at CERGE-EI you can still have the **password synced between email and domain**. Coordinate accounts separation with the IT office in advance. __Do not change the email password via Zimbra webmail to make it independent, it could lock your network account.__ </del> * **Passwords must meet complexity requirements** |
| | * Passwords **must not contain the user's name or username** |
| | * Passwords **must contain characters from the following four categories**: |
| | * uppercase characters, |
| | * lowercase characters, |
| | * digits, |
| | * other characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ |
| | * **Must be at least 9 characters long ** |
| | * **Passwords remembered by email clients can |
| | <font inherit/inherit;;red;;inherit>LOCK YOUR ACCOUNT</font> ** |
| | * Account is temporarily** locked after several unsuccessful logon attempts** with a wrong password! |
| | * **Email clients** (like Thunderbird or Outlook), **smartphones** and tablets or **web browsers** (like Firefox or Chrome) **allow password to be remembered** and can repeatedly lock the account if password does not match. |
| | <font inherit/inherit;;red;;inherit>**BE AWARE that SMARTPHONES usually** use remembered password repeatedly</font> **regardless of its validity** which results in the **account lockdown**. |
| | * **Plan well before you change your password! **Recall all devices or applications with stored passwords (especially smartphones and tablets) in advance. |
| | * **Immediately after the password change**, the client password in your mail, smartphone, tablet **must be changed too**. |
| | * **What to do, if you find out that your AD account or mailbox is locked?** |
| | * **Try to find the reason.** Have you made many unsuccessful attempts? Have you changed your password? Is your smartphone/tablet active? |
| | * **Stop or power off any possible source of wrong passwords**, e.g. running mail client, browser, smartphone or tablet. |
| | * **Wait a required ****time****period** (until automatic account unlock applies) |
| | * **Check/change password settings in all client applications.** Mainly smartphones don't allow to change/save the new password without checking it on the server (It's impossible with locked account). |
| | * **Email client usually requires both IMAP (incoming) and SMTP (outgoing) passwords to be set** |
| ===== Links ===== | ===== Links ===== |
| |
| More complex information is available in the [[:public:user_accounts|User Accounts and Password usage]] article. | More complex information is available in the [[:public:user_accounts|User Accounts and Password usage]] article. |
| | |
| | -.- |
| | |
| | {{:public:pasted:20230316-122144.png}} |
| |
| |