password policies Tag

To say that our security webinar went well is an understatement – partners actually loved it. It’s a strange and welcome departure from how my security and hacking conversations usually go (nobody ran away from me crying and screaming into their cell phone) and I cannot tell you how gratifying it felt to introduce security features and have people line up to offer them.

Frankly, it was time. The state of email (and email security) is unsustainable if we let the users and infrastructure we manage act like account security is an afterthought – that just leads to more compromised endpoints that just amplify the next attack that will be more sophisticated, harder to defend – AND – will eventually lead to increase in costs as more infrastructure is needed to protect users who want to act the same ways spammers do. We’ve put a smart lock on the door, it’s your choice whether you want to lock it.

That said – all these features are a part of the ExchangeDefender Enterprise which is designed for very large companies and government where organizational policies override any complaints and gripes end users may have with the security inconvenience. Which is exactly the opposite from the small businesses that MSPs tend to manage.

We get it. And we’re not giving up.

In the nearly two weeks that we’ve been rolling out the new security features to the MSP/SMB UI, we’ve noticed some severe pain points for our users that we’ve moved very aggressively to address and mitigate. Which is my commitment to you – we will keep on stepping up the security and we will find ways to mitigate some of the prompts, alerts, and notifications along the way if you don’t want your users to be aware of what is going on under the hood.

First up, if you’ve chosen to lock down ExchangeDefender admin panels to the restricted IP range you own, you now have the option to turn off email notices every time a login attempt is made from outside of this range.

We’re in progress of making additional changes and exceptions to the IP address restriction policy and removing it from the SPAM release process – so if your employees are mobile or working from home they will soon be able to release a legitimate message (false positive SPAM) from anywhere even with IP restrictions in place. They won’t be able to login to the control panel and make modifications or see other settings but they will be able to get to their email.

We hope this feature enhancement will reduce the amount of email notifications – you will still see them in your event logs.

Second, we have opened up our OTP/2FA infrastructure to the whole world.

Finally, the alerts on the clients dashboard. I am going to phrase this carefully as I’m not happy to announce this and will likely change it eventually: You can turn that alert off and stop users from being required to change their passwords very X days. Just set the value to 0. We will revisit this within 30 days but as a mitigation to any unwelcome support calls, yes 0 will just turn it off.

We’ve been working on the announcement and training features for quite some time now and we hope that they will make security implementation and support a problem for ExchangeDefender to handle, instead of burdening our partners with it. In an ideal world, those features would have launched first and we’d slowly trickle down ExchangeDefender Enterprise. Unfortunately, another 600+ million usernames, passwords and other PII has been leaked last week from some very popular sites and the odds that those users and passwords have the same credentials there as at ExchangeDefender are pretty good.

My point is, we are paid to protect and lock down your organizations communication and secrets, something we take extremely seriously. In order to protect all the data you trust us with, we have to lock things down. And as we do so, we will keep user experience front and center.

Thank you for trusting us with your data and thank you for your business.
Sincerely,
Vlad Mazek
CEO
ExchangeDefender

ExchangeDefender has been SMB friendly – to a fault, but the era of terrible passwords and plain text passwords is finally over. Not a single piece of ExchangeDefender stores (or offers) user credentials in plain text anymore. We’ve made the transition exceptionally smooth as well, requiring no changes or IT intervention at all.

But we cannot encourage it enough. And over the next year you will see us introduce several features meant to help you lock down ExchangeDefender and use it to lock down your overall IT security strategy. We’re happy to introduce password age configuration that allows you to force users to reset their passwords automatically.

This setting can be accessed from the Domain Administrator > Policies > Features section of admin.exchangedefender.com

When the password is older than your preset number of days (by default, 90) the user will see an ugly red notice telling them to update their password.

If you set the password expiration to 0 days you will turn this feature off entirely but we cannot discourage it more. The feature is there to help your users avoid having their accounts compromised.

If you implement some of these stronger security features we’ve also got you when it comes to minimizing account management – users can reset their password at any time if they have their PIN on them. So even if their mail server is down, having their PIN handy will let them reset the password without additional authentication. Forgot your pin? No problem, we can email you a reset link to a known email address.

As you can tell, ExchangeDefender will go the extra step of helping your users configure a strong password. It will also keep memory of recent passwords so that they can’t just rotate it back and forth between the same two passwords they use elsewhere.

As you’ve seen with mass password resets , access to advanced access logging , known trusted devices and IP restrictions , we are adding more, and more, of our enterprise features to the ExchangeDefender Pro product.

To hear about all these new security features in more detail please check out the webinar  that covers our current security portfolio and how these features make sense.

 

Password Policies

You’ve seen us blog endlessly about improved security that is being rolled out with all the brand new features across our entire product and service portfolio. Trust us, this is not a simple process of just changing the password complexity requirements, people hate password changes and for the most part have become predictable in what their current and next password will be. Add to it the fact that almost everyone uses the exact same password all over the web and not a single day passes by without at least one major provider having a data breach. Sometimes it becomes comical – even LifeLock had a security issue today where they exposed a bunch of data and had to take their site offline!

So passwords suck and short of using our One Time Password / Two Factor Authentication service, it’s going to remain that way. The cool thing about ExchangeDefender, and all of our service, is that we’re going to help you better manage security and password expiration so that your users and services can remain protected and still user friendly.

New password policy at ExchangeDefender, for all of our services going forward, will be a required mixture of upper case, lower case, numbers and special characters with minimum length of 9 characters.

That is just the beginning. Some services will require a transparent OTP/2FA using your email address or cell phone as an additional real-time identity verification process. If you are about to make a large-scale change, we want to make sure it’s you and not just someone that got your password. Calling in will now require PIN or txt verification as will any service request changes – the cool thing is, if you can provide us with that information we can do just about everything you want or need through phone and chat.

The reality of security on the web is that it’s as weak as the laziest user – and it only takes one careless one to mess up the entire organization. We are on your side, we are on your team – that’s why you hire ExchangeDefender – so we’re stepping things up in terms of support and management functionality to help identify, train, and assist users when they run into an issue. Passwords and password changes may continue to suck until the end of time – but we are currently making huge changes in the way we handle support in order to help our partners and CIO’s become more productive by letting us both better secure and support users.