One of the most effective security policies for any computing organization is required password changes. Without this policy, people often keep the same password for years. Everyone is lazy (especially busy computer users), so why change passwords if you don't have to? Unfortunately, in its basic form, the Notes ID mechanism has no way to enforce password changes. Each ID file has its own password, which the server never knows, so password changes cannot be enforced for all users.
Fortunately, beginning with R4.5 of Domino and Notes, there is a way to require users to change passwords, and the changes will be enforced by the server. Before looking at the details, let's list some of the advantages of requiring password changes:
1) The most obvious benefit is that user passwords will change more frequently. If a nefarious person learns someone else's password, that knowledge only will help them for a limited period of time.
2) Users will not be allowed to reset their password to a previous password. Domino stores the last 50 passwords that a user had and disallows their re-use.
3) As a side benefit, the Domino password management mechanism solves the problem of stolen ID files. If someone does get a copy of your ID file, you can force an immediate password change. When someone tries to use the stolen ID, they will be challenged for the new password, which they will not know.
(Note: This entire discussion applies to Notes client access to Domino servers, not to web browser access to Domino.)
So how do you set up password expiration? Just follow these easy steps...
1) Make sure the Admin Process is running on the Domino server. You can verify this by typing SHOW TASKS at the server console. If it is not running, add AdminP to the ServerTasks line in the Notes.ini file.
2) Enable password checking on the server. In the Domino Administrator program, go to Configuration / Server / All Server Documents. Edit the configuration document for the server you are using, then go to the Security tab. Enable the option marked "Check Passwords on Notes IDs".
Item number 3 was amended on 6/7/2001 and varies from the tip email sent 6/6/2001. This is
the corrected version
3) Enable password checking for each person. In the Domino Administrator program, go to People & Groups / People. Edit the person document(s) you want. Go to the Administration tab. Set the Check Password field to "Check Password". Set the Required Change Interval field to the number of days between password changes. Set the Grace Period field to the number of days (after a password expires) during which the user is still allowed to use their old password.
That's it! You have added a significant layer of security to your Domino/Notes system.
-- end of password expiration --
Chuck Connell is president of CHC-3 Consulting http://www.chc-3.com, a consultancy that helps organizations with
all aspects of Domino and Notes, especially security.
This was first published in June 2001