Password expiration is one of the most effective security policies around, for any kind of computer system. Yet I rarely find it in use at companies that hire me to consult. Why is it often neglected? Simple: users don't like it and it creates extra headaches for the IT staff. But the value of password expiration is obvious. When you create a Notes user account, do you want that account to be valid forever? Of course not. You want the account (ID) to automatically expire if no action is taken to maintain it, after some period of time. That's where password expiration comes in.
Before I dive into this topic, there are two objections readers might make right away:
- The organization certificate on a Notes ID file always has an expiration date, so Notes IDs do expire.
The problem with this is that many organizations set long certificate expiration dates (years) or set the server to auto-renew certificates.
- Domino/Notes administrators have the ability to remove/lockout a user account when that user leaves the organization.
The problem is that this requires a positive action to disable an account. Most likely, you will remember to take this action -- but sometimes we forget.
Password expiration does involve more work for users and for administrators (when users forget their new passwords). So, this is an important question for your organization: "How serious do you want to be about computer security? You might legitimately answer, "Not too serious. Fixed passwords are good enough for us." But, depending on the nature of your company, you might answer, "We take data security quite seriously and are willing to take the steps necessary to improve it." In the latter case, you should strongly consider enabling password expiration for Notes IDs.
Here are the steps:
- Choose a password expiration period and a "grace period." The grace period is a time interval during which the user's password has expired, but will still work. Typical values are 180 days and 60 days, respectively.
- While it is not required, I suggest you enable ID/password recovery before tackling password expiration. Users will be more likely to forget their passwords once you turn on expiration, and the recovery mechanism will help the IT staff deal with this.
- Enable password checking on the server. In the Domino Administrator program, go to Configuration -> Server -> All Server Documents. Edit the configuration document for the server you are using, then go to the Security tab. Enable the option marked "Check Passwords on Notes IDs."
- Wait several days, to make sure the server and users are stabilized with the check-password option.
- Divide the users into subsets, each set to expire at a different time. This spreads out the password expiration dates, so the IT staff is not swamped with too many user calls on one day. For a password expiration time of 180 days, you might divide the users into 10 subsets, by some logical grouping. (A simple alphabetical sorting works fine in many cases.)
- Enable password expiration for the first set of users. In the Domino Administrator, go to People & Groups -> People. Select the person documents you want. Pull down Actions -> Set Password Fields. Set the options Check = Check Passwords; Required change = 180; Grace period = 60. (Or whatever other values you choose.)
- Repeat the above step a week later for the second set of users, then a week later for the third set, etc.
That's it! You have added a significant layer of security to your Domino/Notes system.
About the author: Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.
Do you have comments on this tip? Let us know.
This was first published in May 2004