Expiring Passwords In Notes

One of the most effective security policies for any computing organization is required password changes. Without this policy, people often keep the same password for years. Everyone is lazy (especially busy computer users), so why change passwords if you don't have to? Unfortunately, in its basic form, the Notes ID mechanism has no way to enforce password changes. Each ID file has its own password, which the server never knows, so password changes cannot be enforced for all users.

Fortunately, beginning with R4.5 of Domino and Notes, there is a way to require users to change passwords, and the changes will be enforced by the server. Before looking at the details, let's list some of the advantages of requiring password changes:

1) The most obvious benefit is that user passwords will change more frequently. If a nefarious person learns someone else's password, that knowledge only will help them for a limited period of time.

2) Users will not be allowed to reset their password to a previous password. Domino stores the last 50 passwords that a user had and disallows their re-use.

3) As a side benefit, the Domino password management mechanism solves the problem of stolen ID files. If someone does get a copy of your ID file, you can force an immediate password change. When someone tries to use the stolen ID, they will be challenged for the new password, which they will not know.

(Note: This entire discussion applies to Notes client access to Domino servers, not to web browser access to Domino.)

So how do you set up password expiration? Just follow these easy steps...

1) Make sure the Admin Process is running on the Domino server. You can verify this by typing SHOW TASKS at the server console. If it is not running, add AdminP to the ServerTasks line in the Notes.ini file.

2) Enable password checking on the server. In the Domino Administrator program, go to Configuration / Server / All Server Documents. Edit the configuration document for the server you are using, then go to the Security tab. Enable the option marked "Check Passwords on Notes IDs".

Item number 3 was amended on 6/7/2001 and varies from the tip email sent 6/6/2001. This is the corrected version
3) Enable password checking for each person. In the Domino Administrator program, go to People & Groups / People. Edit the person document(s) you want. Go to the Administration tab. Set the Check Password field to "Check Password". Set the Required Change Interval field to the number of days between password changes. Set the Grace Period field to the number of days (after a password expires) during which the user is still allowed to use their old password.

That's it! You have added a significant layer of security to your Domino/Notes system.

-- end of password expiration --

Chuck Connell is president of CHC-3 Consulting http://www.chc-3.com, a consultancy that helps organizations with all aspects of Domino and Notes, especially security.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7 RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.