| Both sides previous revision Previous revision Next revision | Previous revision |
| public:passwd_change [2023-02-14 16:41] – vesely | public:passwd_change [2024-11-01 13:13] (current) – [for Domain account [D]] jnov |
|---|
| Because of security measure, CERGE-EI distinguishes between __network (domain) passwords__ and __mailserver passwords__. | Because of security measure, CERGE-EI distinguishes between __network (domain) passwords__ and __mailserver passwords__. |
| |
| As a result, there are different passwords for: | As a result, there are |
| | <font inherit/inherit;;inherit;;#ffff00>different passwords</font> for your: |
| |
| * your **domain account **//**ad.cerge-ei.cz**// (Active Directory) used for network logon, VPN, web, TAS etc. [D] | * **Domain Account **//**ad.cerge-ei.cz**// (Active Directory) used for PC/network logon, Moodle/CMS, CEIS, VPN, internal web, TAS etc. [D] |
| * your **Zimbra mail exchange** server account [X] | * **Zimbra Mail exchange** server account [X] |
| * your **Zimbra archive mail** server account (if available) [A] | * **Zimbra Archive mail** server account (if available) [A] |
| | ===== Reset Password Guidelines ===== |
| ===== Guidelines ===== | |
| |
| ==== for Domain account [D] ==== | ==== for Domain account [D] ==== |
| //Username is usualy in the format **nsurname** (first letter of name + surname, max. 8 characters. e.g. jdoe, bsprings, …). *// | //Username is usualy in the format **nsurname** (first letter of name + surname, max. 8 characters. e.g. jdoe, bsprings, …). *// |
| |
| There are two basic ways how you can change your domain account: | **Password policy** |
| |
| * the first way: **Windows login page** \\ <WRAP round center tip 100%>Press Ctrl+Alt+Delete → click “Change a password…” , type your old password followed by a new password as indicated, and then type the new password again to confirm it. \\ </WRAP> | * Password is case sensitive. \\ |
| * the second way: **Password Self-Service Portal ** \\ <WRAP round center tip 100%> Go to the address **[[https://portal.cerge-ei.cz/pwm|https://portal.cerge-ei.cz/pwm]]** and log with your domain account. You can also **reset forgotten password** if necessary (you have to have your mobile phone registered at the portal in advance to be able reset password via SMS). \\ </WRAP> | * Must be at least 9 characters long. \\ |
| | * Must include at least 4 letters. \\ |
| | * Must include at least 1 number. \\ |
| | * Must have at least 1 symbol (non letter or number) character. \\ |
| | * Must have at least 1 lowercase letter. \\ |
| | * Must have at least 1 uppercase letter. \\ |
| | * Must not include any of the following values: test pass 1234 4321 0000 cerge \\ |
| | * Must not include part of your name or user name. \\ |
| | * Must not include a common word or commonly used sequence of characters. \\ |
| | * 24 Latest passwords remembered. |
| |
| * You can find out your username at the self-service portal → click //[Forgotten User Name]// button at the Password Self-Service Portal | === Change password === |
| | |
| | There are two basic ways how you can change your domain account password: |
| | |
| | * the first way: **Windows login page**<WRAP round center tip 100%>Press Ctrl+Alt+Delete → click “Change a password…” , type your old password followed by a new password as indicated, and then type the new password again to confirm it. |
| | |
| | </WRAP> |
| | |
| | * the second way: **Password Self-Service Portal **<WRAP round center tip 100%> Go to the address **[[https://portal.cerge-ei.cz/pwm|https://portal.cerge-ei.cz/pwm]]** and log with your domain account. |
| | |
| | </WRAP> * You can find out your username at the self-service portal → click //[Forgotten User Name]// button at the Password Self-Service Portal |
| | |
| | === Reset password === |
| | |
| | <WRAP round center important 100%>You can also **reset forgotten password** if necessary. You have to have your **mobile phone registered** at the portal in advance to be able reset password via SMS. If you do not have mobile registered yet, you may send registration request to helpdesk@cerge-ei.cz |
| | |
| | </WRAP> |
| |
| See [[:public:user_accounts|User Accounts]] page for more details… | See [[:public:user_accounts|User Accounts]] page for more details… |
| {{:public:pasted:20230214-163743.png}} | {{:public:pasted:20230214-163743.png}} |
| |
| [[https://mail.cerge-ei.cz</font|Server: https://mail.cerge-ei.cz</font]]> | There are two basic ways how you can change your Zimbra Mailserver account password: |
| |
| Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] <WRAP round center tip 100%>__**PWMX - Self-service Portal**__ Go to the address [[https://portal.cerge-ei.cz/pwmx|https://portal.cerge-ei.cz/pwmx]] and log with your Zimbra account. | * the first way: Access [[https://mail.cerge-ei.cz|Zimbra Webmail]] ([[https://mail.cerge-ei.cz|https://mail.cerge-ei.cz]])<WRAP round center tip 100%>See [[:public:emai:zimbra_password|Zimbra Password change ]] for detailed instructions.</WRAP> |
| |
| User name is in short format (e.g. **jnovak**). | * |
| | |
| | the second way: Use [[https://portal.cerge-ei.cz/pwmx|PWMX - Self-service Portal]] for Zimbra Mail Exchange:<WRAP round center tip 100%>__**PWMX - Self-service Portal**__ Go to the address [[https://portal.cerge-ei.cz/pwmx|https://portal.cerge-ei.cz/pwmx]] and log with your Zimbra account. |
| |
| You can also **reset forgotten password** at the PWMX Portal if necessary | You can also **reset forgotten password** at the PWMX Portal if necessary |
| | |
| | User name is in short format (e.g. **jnovak**). |
| |
| **Important!** You need to have ** mobile phone number registered at the portal** in advance to be able reset password via SMS (Pager attribute) | **Important!** You need to have ** mobile phone number registered at the portal** in advance to be able reset password via SMS (Pager attribute) |
| |
| </WRAP> | </WRAP> |
| |
| |
| ---- | ---- |
| Time window in which the failed logons must occur to lock the account: **1 hour** \\ \\ | Time window in which the failed logons must occur to lock the account: **1 hour** \\ \\ |
| Although the AD account is locked earlier, it is also quickly unlocked. If the attack over the mailer persists, the lock on the mailer is activated for a longer period and produces no new lock of the AD account. | Although the AD account is locked earlier, it is also quickly unlocked. If the attack over the mailer persists, the lock on the mailer is activated for a longer period and produces no new lock of the AD account. |
| |
| |
| ===== FACTS / HINTS ===== | ===== FACTS / HINTS ===== |
| * **One account for all services** (called Domain Account). There is **only ****one**** login name and password** which serves **for** almost **all applications** and services at CERGE-EI (Login to computer; Network shares, CEIS; CMS; Reporting; internal web pages; printers etc.) Password may be changed **ONLY ONCE per day**. | * **One account for all services** (called Domain Account). There is **only ****one**** login name and password** which serves **for** almost **all applications** and services at CERGE-EI (Login to computer; Network shares, CEIS; CMS; Reporting; internal web pages; printers etc.) Password may be changed **ONLY ONCE per day**. |
| * Usually you have an **independent password for Email Server Zimbra** - including Webmail, SMTP and IMAP access; This case you can change the email password via Zimbra webmail. Than you can have two different passwords (recommended mode). Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] ) | * Usually you have an **independent password for Email Server Zimbra** - including Webmail, SMTP and IMAP access; This case you can change the email password via Zimbra webmail. Than you can have two different passwords (recommended mode). Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] ) |
| * If you have an **older account** at CERGE-EI you can still have the **password synced between email and domain**. Coordinate accounts separation with the IT office in advance. __Do not change the email password via Zimbra webmail to make it independent, it could lock your network account.__ | * <del>If you have an **older account** at CERGE-EI you can still have the **password synced between email and domain**. Coordinate accounts separation with the IT office in advance. __Do not change the email password via Zimbra webmail to make it independent, it could lock your network account.__ </del> * **Passwords must meet complexity requirements** |
| | |
| * **Passwords must meet complexity requirements** | |
| * Passwords **must not contain the user's name or username** | * Passwords **must not contain the user's name or username** |
| * Passwords **must contain characters from the following four categories**: uppercase characters, lowercase characters, digits, other characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ | * Passwords **must contain characters from the following four categories**: |
| | * uppercase characters, |
| | * lowercase characters, |
| | * digits, |
| | * other characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ |
| * **Must be at least 9 characters long ** | * **Must be at least 9 characters long ** |
| * **Passwords remembered by email clients can | * **Passwords remembered by email clients can |
| <font inherit/inherit;;red;;inherit>LOCK YOUR ACCOUNT</font> ** | <font inherit/inherit;;red;;inherit>LOCK YOUR ACCOUNT</font> ** |
| * Account is temporarily** locked after several unsuccessful logon attempts** with a wrong password! | * Account is temporarily** locked after several unsuccessful logon attempts** with a wrong password! |
| * **Email clients** (like Thunderbird or Outlook), **smartphones** and tablets or **web browsers** (like Firefox or Chrome) **allow password to be remembered**. | * **Email clients** (like Thunderbird or Outlook), **smartphones** and tablets or **web browsers** (like Firefox or Chrome) **allow password to be remembered** and can repeatedly lock the account if password does not match. |
| * | |
| <font inherit/inherit;;red;;inherit>**BE AWARE that SMARTPHONES usually** use remembered password repeatedly</font> **regardless of its validity** which results in the **account lockdown**. | <font inherit/inherit;;red;;inherit>**BE AWARE that SMARTPHONES usually** use remembered password repeatedly</font> **regardless of its validity** which results in the **account lockdown**. |
| * **Plan well before you change your password! **Recall all devices or applications with stored passwords (especially smartphones and tablets) in advance. | * **Plan well before you change your password! **Recall all devices or applications with stored passwords (especially smartphones and tablets) in advance. |
| * **Check/change password settings in all client applications.** Mainly smartphones don't allow to change/save the new password without checking it on the server (It's impossible with locked account). | * **Check/change password settings in all client applications.** Mainly smartphones don't allow to change/save the new password without checking it on the server (It's impossible with locked account). |
| * **Email client usually requires both IMAP (incoming) and SMTP (outgoing) passwords to be set** | * **Email client usually requires both IMAP (incoming) and SMTP (outgoing) passwords to be set** |
| |
| |
| ===== Links ===== | ===== Links ===== |
| |
| More complex information is available in the [[:public:user_accounts|User Accounts and Password usage]] article. | More complex information is available in the [[:public:user_accounts|User Accounts and Password usage]] article. |
| | |
| | -.- |
| | |
| | {{:public:pasted:20230316-122144.png}} |
| |
| |