Document Actions
1.
Passwords
Up one level
With any OpenEngagement DMS sites that are accessible from the internet, including the Hosted Solutions, strong passwords are necessary to maintain a secure site. It is possible to configure the DMS to generate random passwords for all users or for the user creating user accounts for other users to create their initial passwords. In both cases, all users can at any time change their password. In the first case, the random passwords are high quality passwords, and if users can remember them, they should keep these passwords. Where users set their own passwords, they should be encouraged to select high-quality passwords. Weak passwords are easy for attackers to guess, particularly those using scripts to guess many passwords.
Firms may also choose to enforce a policy where passwords are changed regularly, for example, every month or every year. The DMS provides a reset password tool in the Users and Groups Administration page. This provides greater security, since the longer passwords are in use, the greater the chances of them being compromised. However, if passwords are changed too regularly, users tend to choose weaker passwords and may also write them down in places where others may see them.
For passwords to be reasonably secure, they should be at least 6 characters long and should contain lower case letters, upper case letters, and numbers. It is preferable that they also contain other symbols, such as !@#$%^&(){}[] and so on. Passwords that are a name or single word are particularly weak.
Future versions of the DMS will provide tools to check and maintain the quality of the passwords to a level determined by the firm.
With Hosted and Local Solutions, the OpenEngagement team do not know the passwords of any users and the code is written in such a way that the OpenEngagement team can not determine these. With Hosted Solutions, if passwords are lost, additional user accounts may be created.
Users should never send their passwords by email. OpenEngagement will never send emails asking for any user's password.