public:passwd_change

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
public:passwd_change [2020-12-08 14:37] veselypublic:passwd_change [2023-04-21 12:46] (current) – [How to change your CERGE-EI accounts passwords] marp
Line 1: Line 1:
 ====== How to change your CERGE-EI accounts passwords ====== ====== How to change your CERGE-EI accounts passwords ======
  
-Not all accounts at CERGE-EI are mutualy connected by a single password. This is a security measure.+Because of security measure, CERGE-EI distinguishes between __network (domain) passwords__ and __mailserver passwords__.
  
-There is a different password for:+As result, there are 
 + <font inherit/inherit;;inherit;;#ffff00>different passwords</font>  for your:
  
-  * Your **domain account ****ad.cerge-ei.cz**  (Active Directory) used for network logon, VPN, web, TAS etc. [D] +  * **Domain Account **//**ad.cerge-ei.cz**//  (Active Directory) used for PC/network logon, Moodle/CMS, CEIS, VPN, internal web, TAS etc. [D] 
-  * Your **Zimbra mail exchange**  server account [X] +  * **Zimbra Mail exchange**  server account [X] 
-  * Your **Zimbra archive mail**  server account (if available) [A] +  * **Zimbra Archive mail**  server account (if available) [A] 
- +===== Reset Password Guidelines =====
-===== Guidelines =====+
  
 ==== for Domain account [D] ==== ==== for Domain account [D] ====
 +
 +{{:public:pasted:20230214-163051.png?280x49}}
  
 //Username is usualy in the format **nsurname**  (first letter of name + surname, max. 8 characters. e.g. jdoe, bsprings, …). *// //Username is usualy in the format **nsurname**  (first letter of name + surname, max. 8 characters. e.g. jdoe, bsprings, …). *//
  
-There are two basic ways how you can change your domain account:+=== Change password ===
  
-  * **the first way: Windows login page**<WRAP round center tip 100%>Press Ctrl+Alt+Delete → click “Change a password…” , type your old password followed by a new password as indicated, and then type the new password again to confirm it.</WRAP> +There are two basic ways how you can change your domain account password: 
-  * **the second way: Password Self-Service Portal **  (experimental)<WRAP round center tip 100%> Go to the address [[https://portal.cerge-ei.cz/pwm|https://portal.cerge-ei.cz/pwm]] and log with your domain account. You can also **reset forgotten password**  if necessary (you have to have your mobile phone registered at the portal in advance to be able reset password via SMS). </WRAP> + 
-* You can find out your username at the self-service portal → click //[Forgotten User Name]//  button at the Password Self-Service Portal+  * the first way: **Windows login page**<WRAP round center tip 100%>Press Ctrl+Alt+Delete → click “Change a password…” , type your old password followed by a new password as indicated, and then type the new password again to confirm it. 
 + 
 +</WRAP> 
 + 
 +  * the second way: **Password Self-Service Portal **<WRAP round center tip 100%> Go to the address **[[https://portal.cerge-ei.cz/pwm|https://portal.cerge-ei.cz/pwm]]**  and log with your domain account. 
 + 
 +</WRAP> * You can find out your username at the self-service portal → click //[Forgotten User Name]//  button at the Password Self-Service Portal 
 + 
 +=== Reset password === 
 + 
 +<WRAP round center important 100%>You can also **reset forgotten password**  if necessary. You have to have your **mobile phone registered**  at the portal in advance to be able reset password via SMS. If you do not have mobile registered yet, you may send registration request to helpdesk@cerge-ei.cz 
 + 
 +</WRAP>
  
 See [[:public:user_accounts|User Accounts]] page for more details… See [[:public:user_accounts|User Accounts]] page for more details…
  
-==== Email Password ====+==== Email Accounts Passwords ==== 
 + 
 +{{:public:pasted:20230214-163625.png?280x61}}
  
 === for Zimbra email Exchange [X] === === for Zimbra email Exchange [X] ===
  
-[[https://mail.cerge-ei.cz</font|Serverhttps://mail.cerge-ei.cz</font]]>+{{:public:pasted:20230214-163743.png}}
  
-Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]]+There are two basic ways how you can change your Zimbra Mailserver account password: 
 + 
 +  * the first way: Access [[https://mail.cerge-ei.cz|Zimbra Webmail]] ([[https://mail.cerge-ei.cz|https://mail.cerge-ei.cz]])<WRAP round center tip 100%>See [[:public:emai:zimbra_password|Zimbra Password change ]] for detailed instructions.</WRAP> 
 + 
 +  * 
 + 
 +the second way: Use  [[https://portal.cerge-ei.cz/pwmx|PWMX - Self-service Portal]] for Zimbra Mail Exchange:<WRAP round center tip 100%>Go to the address [[https://portal.cerge-ei.cz/pwmx|https://portal.cerge-ei.cz/pwmx]] and log with your Zimbra account.</WRAP> 
 + 
 +You can also **reset forgotten password**  at the PWMX Portal if necessary 
 + 
 +User name is in short format (e.g. **jnovak**). 
 + 
 +**Important!**  You need to have ** mobile phone number registered at the portal**  in advance to be able reset password via SMS (Pager attribute)
  
 === for Zimbra Archive [A] === === for Zimbra Archive [A] ===
  
-[[https://mailarch.cerge-ei.cz</font|Serverhttps://mailarch.cerge-ei.cz</font]]>(experimental/pilot phase) <WRAP round center tip 100%>__**PWMA - Self-service Portal**__  Go to the address [[https://portal.cerge-ei.cz/pwma|https://portal.cerge-ei.cz/pwma]] and log with your Archive Zimbra account. You can also **reset forgotten password**  at the PWMA Portal if necessary **Important!**  You need to have ** mobile phone number registered at the portal**  in advance to be able reset password via SMS</WRAP>+{{:public:pasted:20230214-163833.png}}
  
-=== Kerio Mailserver [K===+[[https://mailarch.cerge-ei.cz</font|Server: https://mailarch.cerge-ei.cz</font]]> <WRAP round center tip 100%>__**PWMA - Self-service Portal**__  Go to the address [[https://portal.cerge-ei.cz/pwma|https://portal.cerge-ei.cz/pwma]and log with your Archive Zimbra account.
  
-Use Kerio webmail ([[https://mbox.cerge-ei.cz/|https://mbox.cerge-ei.cz/]])+User name is in short format (e.g**jnovak**).
  
-===== FACTS HINTS =====+You can also **reset forgotten password**  at the PWMA Portal if necessary 
 + 
 +**Important!**  You need to have ** mobile phone number registered at the portal**  in advance to be able reset password via SMS. (Pager attribute) 
 + 
 +</WRAP> 
 + 
 +----
  
-* **One account for all services**  (called Domain Account). There is **only ****one**** login name and password**  which serves **for**  almost **all applications**  and services at CERGE-EI (Login to computer; Network shares, CEIS; CMS; Reporting; internal web pages; printers etc.) Mostly the password is common also for Email Server Zimbra - including Webmail, SMTP and IMAP access; * You can have an **independent password for email**  - coordinate accounts separation with the IT office in advance (older accounts are still synced between email and domain) * **Do not change the email password via Zimbra webmail**  to make it independent, it could lock your network account. (Unless you are the person with the **independent email password**. This case use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] ) * Password may be changed **ONLY ONCE per day**. * **Passwords must meet complexity requirements**<WRAP round center important 60%> <font 11.0pt/11;;#27ae60;;inherit>Please understand, that it is important to comply with the following rules: * Passwords must not contain the user's name or username; * Passwords must contain characters from the following four categories: uppercase characters, lowercase characters, digits, other characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ * Must be at least 9 characters long.</WRAP> * **Passwords remembered by email clients can <font inherit/inherit;;red;;inherit>LOCK YOUR ACCOUNT** * Account is temporarily** locked after several unsuccessful logon attempts** with a wrong password! * **Email clients** (like Thunderbird or Outlook), **smartphones** and tablets or **web browsers** (like Firefox or Chrome) **allow password to be remembered**. * **<font inherit/inherit;;red;;inherit>BE AWARE that**</font> **<font inherit/inherit;;red;;inherit>SMARTPHONES</font>**<font inherit/inherit;;red;;inherit>**usually**</font><font inherit/inherit;;red;;inherit>** use remembered password **</font><font inherit/inherit;;red;;inherit>**repeatedly **</font>regardless of its validity which results in the **account lockdown**. 
-  * **Plan well before you change your password! **Recall all devices or applications with stored passwords (especially smartphones and tablets) in advance. 
-  * **Immediately after the password change**, the client password in your mail, smartphone, tablet **must be changed too**. 
-  * **What to do, if you find out that your AD account or mailbox is locked?** 
-  * **Try to find the reason.**  Have you made many unsuccessful attempts? Have you changed your password? Is your smartphone/tablet active? 
-  * **Stop or power off any possible source of wrong passwords**, e.g. running mail client, browser, smartphone or tablet. 
-  * **Wait a required ****time****period**  (until automatic account unlock applies) 
-  * **Check/change password settings in all client applications.**  Mainly smartphones don't allow to change/save the new password without checking it on the server (It's impossible with locked account). 
-  * **Email client usually requires both IMAP (incoming) and SMTP (outgoing) passwords to be set** 
 ===== MORE DETAILED INFORMATION ===== ===== MORE DETAILED INFORMATION =====
  
-**Locking the account and mailbox** \\  \\+==== Locking the account and mailbox ==== 
 Account is temporarily locked after several unsuccessful logon attempts with wrong password to avoid abuse and brute force password breaking. \\ Account is temporarily locked after several unsuccessful logon attempts with wrong password to avoid abuse and brute force password breaking. \\
 There are three significant parameters of this feature: There are three significant parameters of this feature:
Line 65: Line 91:
 Smartphones usually use remembered password repeatedly regardless of its validity. Than you can easily lock the mailbox unintentionally.</WRAP> Smartphones usually use remembered password repeatedly regardless of its validity. Than you can easily lock the mailbox unintentionally.</WRAP>
  
-__**Threshold parameters - Active Directory**__  \\  \\+==== Threshold parameters - Active Directory ==== 
 The Active Directory (shortly AD) serves as authentication authority for local network shares, desktop login, internal web pages, CEIS, CMS, Reporting etc. \\  \\ The Active Directory (shortly AD) serves as authentication authority for local network shares, desktop login, internal web pages, CEIS, CMS, Reporting etc. \\  \\
 Account lockout duration: **3 minutes** \\ Account lockout duration: **3 minutes** \\
 Account lockout threshold: **7 invalid logon attempts** \\ Account lockout threshold: **7 invalid logon attempts** \\
-Account lockout counter reset: **after 3 minutes** \\  \\ __**Threshold parameters - Zimbra mailer**__  \\  \\+Account lockout counter reset: **after 3 minutes** 
 + 
 +==== Threshold parameters - Zimbra mailer ==== 
 Number of consecutive failed logons allowed: **10** \\ Number of consecutive failed logons allowed: **10** \\
 Time to lockout the account: **30 minutes** \\ Time to lockout the account: **30 minutes** \\
Line 75: Line 105:
 Although the AD account is locked earlier, it is also quickly unlocked. If the attack over the mailer persists, the lock on the mailer is activated for a longer period and produces no new lock of the AD account. Although the AD account is locked earlier, it is also quickly unlocked. If the attack over the mailer persists, the lock on the mailer is activated for a longer period and produces no new lock of the AD account.
  
 +===== FACTS / HINTS =====
 +
 +  * **One account for all services**  (called Domain Account). There is **only ****one**** login name and password**  which serves **for**  almost **all applications**  and services at CERGE-EI (Login to computer; Network shares, CEIS; CMS; Reporting; internal web pages; printers etc.) Password may be changed **ONLY ONCE per day**.
 +  * Usually you have an **independent password for Email Server Zimbra**  - including Webmail, SMTP and IMAP access; This case you can change the email password via Zimbra webmail. Than you can have two different passwords (recommended mode). Use [[https://mail.cerge-ei.cz|webmail]] for [[:public:emai:zimbra_password|Zimbra Password change ]] )
 +  * <del>If you have an **older account**  at CERGE-EI you can still have the **password synced between email and domain**. Coordinate accounts separation with the IT office in advance. __Do not change the email password via Zimbra webmail to make it independent, it could lock your network account.__ </del>  * **Passwords must meet complexity requirements**
 +      * Passwords **must not contain the user's name or username**
 +      * Passwords **must contain characters from the following four categories**:
 +        * uppercase characters,
 +        * lowercase characters,
 +        * digits,
 +        * other characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
 +      * **Must be at least 9 characters long **
 +  * **Passwords remembered by email clients can
 + <font inherit/inherit;;red;;inherit>LOCK YOUR ACCOUNT</font> **
 +  * Account is temporarily** locked after several unsuccessful logon attempts**  with a wrong password!
 +  * **Email clients**  (like Thunderbird or Outlook), **smartphones**  and tablets or **web browsers**  (like Firefox or Chrome) **allow password to be remembered**  and can repeatedly lock the account if password does not match.
 + <font inherit/inherit;;red;;inherit>**BE AWARE that SMARTPHONES usually** use remembered password repeatedly</font> **regardless of its validity**  which results in the **account lockdown**.
 +  * **Plan well before you change your password! **Recall all devices or applications with stored passwords (especially smartphones and tablets) in advance.
 +  * **Immediately after the password change**, the client password in your mail, smartphone, tablet **must be changed too**.
 +  * **What to do, if you find out that your AD account or mailbox is locked?**
 +  * **Try to find the reason.**  Have you made many unsuccessful attempts? Have you changed your password? Is your smartphone/tablet active?
 +  * **Stop or power off any possible source of wrong passwords**, e.g. running mail client, browser, smartphone or tablet.
 +  * **Wait a required ****time****period**  (until automatic account unlock applies)
 +  * **Check/change password settings in all client applications.**  Mainly smartphones don't allow to change/save the new password without checking it on the server (It's impossible with locked account).
 +  * **Email client usually requires both IMAP (incoming) and SMTP (outgoing) passwords to be set**
 ===== Links ===== ===== Links =====
  
 More complex information is available in the [[:public:user_accounts|User Accounts and Password usage]] article. More complex information is available in the [[:public:user_accounts|User Accounts and Password usage]] article.
 +
 +-.-
 +
 +{{:public:pasted:20230316-122144.png}}
  
  
  • /var/www/html/dokuwiki/data/attic/public/passwd_change.1607438259.txt.gz
  • Last modified: 2020-12-08 14:37
  • by vesely