In HIFIS 3, the strength of users’ passwords didn’t matter as much, because a user had to be at the physical computer in order to login, which meant they were on site at a service provider.
In HIFIS 4, that all changed. The default configuration for HIFIS 4 is that it’s hosted on a website that anyone can access if they have the URL. Then all they need is a username and password.
The Olden Days
In the olden days (i.e. a few months ago), communities could set a default password (the factory default setting was 123456 as the default password). This default password was assigned to all new user accounts. When a user first logged in, they would be prompted (but not required) to change their password. But if a user never logged on, their password would remain the default one indefinitely. Also, any time a user forgot their password, the only way to recover it was to reset it back to the default password, and prompt the user to change it again.
To make matters worse, most communities have a policy governing usernames, so it’s usually very easy to guess a username.
Users were also prompted for a “secret phrase.” This was a knowledge-based authentication (KBA), like when a site asks you “Where did you attend high school?” or “What’s your favourite football team?” However, since users were just prompted for a “secret phrase,” not the name of their first pet, this was particularly misused. All that was needed to reset the user’s password back to the easy-to-guess password was to guess the user’s secret phrase.
The Way of the Future
Recently (version 220.127.116.11), the HIFIS Development Team made substantial security enhancements to the way passwords work in HIFIS 4. (Yay!) This is on top of the existing two-factor authentication option which was implemented about a year ago.
First, there’s no longer a default password. If your community’s HIFIS server has email configured (another new feature!), HIFIS can also email the user directly, prompting them to create a secure password without the Administrator ever knowing what their password is, or having to keep track of it. You can also configure how many days the user has to create a password before the email link expires.
If you don’t have email configured, HIFIS gives each user account a randomly generated, very complex, temporary password. For example, a password that HIFIS randomly generated for my test account was jOT)&aC?}YZm=h. (That’s pretty complex! And way more complex than 123456…)
The secret phrase is also gone. When a user clicks the Forgot Password link, instead of entering their secret phrase, HIFIS will now email the user a password recovery link. If email isn’t configured, a HIFIS Administrator needs to manually reset the user’s password to an auto-generated temporary password.
Communities can also enforce password strength requirements. HIFIS Administrators could do this before, but since it requires configuration on the server, most communities didn’t know that they could. For example, a common set of password strength requirements would read as follows:
Must be a minimum of 8 characters in length and must include:
At least one upper case letter (A, B, C)
At least one lower case letter (a, b, c)
At least one numbers (1,2,3)
At least one non-alphanumeric character (*,!,@)
Now, there’s customizable help text that informs users what the password strength requirements are (this didn’t used to be an option).
HIFIS Administrators can also set an age limit for passwords. That means that users must change their passwords every X number of days.
After the specified amount of time passes, users get a notice, and have to change their password.
HIFIS also notifies users about their password expiration date when they set or reset their password.
These changes go along way to improving HIFIS’ security. However, there are some things that HIFIS 4 still can’t do with regards to passwords, such as:
- Store a password history, and check new passwords against previously used passwords. Right now, even if a HIFIS forces a user to change their password every 30 days, they can “change” it to the same password.
- Check new passwords against a dictionary of known-bad choices. We don’t want to let users use ChangeMe, thisisapassword, or pA55w@rd, and so on, but right now, they can. Users can also set their password to be the same as their username, which is also not a great practice.
Actually, there’s been developments recently in the realm of password guidelines and internet security. In June 2017, the National Institute of Standards and Technology issued a new special publication entitled Digital Identity Guidelines: Authentication and Lifecycle Management that make some very interesting statements about what the new best practices in password management are. Some of the new best practices are:
- Minimum of 8 characters and a maximum length of at least 64 characters (so, essentially, longer passwords are good, and don’t cap the length).
- ✓ HIFIS lets you do this
- Allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emoji!
- ✓ I don’t think HIFIS lets you store emoji, but it does let you store most characters, including spaces
- Include a dictionary of bad password choices (there’s a surprising amount of information available on this, such as this list of 10 million compromised passwords) and prevent users from selecting them.
- ✗ HIFIS doesn’t do this at the moment
- No composition rules. Most composition rules (like “you must include one upper case, one lower case, one number, and one special character”) just lead to passwords that are really hard to remember for the user, and aren’t substantially more secure (pA55w@rd isn’t much more secure than password, and it is a lot harder to remember)
- ✓ You can tell HIFIS what composition rules you want to enable
- No password hints. Many password hints give away the password, like “my wife’s name.”
- ✓ HIFIS doesn’t let you have password hints
- No knowledge-based authentication (KBA). No more giving away the password if I can guess the first car a user drove.
- ✓ HIFIS doesn’t have secret phrases any more
- No more password expiration. If we want users to be able to remember strong passwords, we shouldn’t make them change it every few months.
- ✓ HIFIS lets you set the password expiry duration
As I mentioned before, these password management rules are much-needed, and they go a long way towards helping us protect our clients’ information. In particular, doing away with the “secret phrase” is my favourite change.
What do you think? Is password strength an issue in your community? What password rules do you use? Is this a feature that makes you feel better about using HIFIS 4? Let me know what you think!