With any OpenEngagement DMS sites that are accessible from the internet, including the Hosted Solutions, strong passwords are necessary to maintain a secure site. It is possible to configure the DMS to generate random passwords for all users or for the user creating user accounts for other users to create their initial passwords. In both cases, all users can at any time change their password. In the first case, the random passwords are high quality passwords, and if users can remember them, they should keep these passwords. Where users set their own passwords, they should be encouraged to select high-quality passwords. Weak passwords are easy for attackers to guess, particularly those using scripts to guess many passwords.

Firms may also choose to enforce a policy where passwords are changed regularly, for example, every month or every year. The DMS provides a reset password tool in the Users and Groups Administration page. This provides greater security, since the longer passwords are in use, the greater the chances of them being compromised. However, if passwords are changed too regularly, users tend to choose weaker passwords and may also write them down in places where others may see them.

For passwords to be reasonably secure, they should be at least 6 characters long and should contain lower case letters, upper case letters, and numbers. It is preferable that they also contain other symbols, such as !@#$%^&(){}[] and so on. Passwords that are a name or single word are particularly weak.

Future versions of the DMS will provide tools to check and maintain the quality of the passwords to a level determined by the firm.

With Hosted and Local Solutions, the OpenEngagement team do not know the passwords of any users and the code is written in such a way that the OpenEngagement team can not determine these. With Hosted Solutions, if passwords are lost, additional user accounts may be created.

Users should never send their passwords by email. OpenEngagement will never send emails asking for any user's password.

Any site that is accessible from the internet is exposed to some danger of attack from malicious visitors, where the visitors may be either hackers or scripts. In this respect, OpenEngagement is no different than any other application on the internet. Malicious users may attempt to deface the website, view data, modify data or delete data.

Some strategies firms may use to mitigate this are:

• Install virus checkers on the server computer and every computer in the office network. Keep these up to date;
• Install and monitor intrusion detection software;
• Keep the DMS behind a network firewall. This can be set to, at minimum, block all ports other than the port used by the DMS. Many firewalls can also check for common attack signatures;
• Keep the DMS behind an application firewall. These can check for common attack signatures specific to web applications, which are not normally caught by network firewalls;
• Run as few applications as possible on the server on which the DMS is installed;
• Use a secure operating system, such as OpenBSD;
• Use SSL to encrypt all data sent between the server and clients. Note, if SSL is used, please ensure any intrusion detection and firewalls are utilized once the data is decrypted, as these applications can not properly check encrypted data for attacks;
• Have the site audited either by a security auditing firm or by security auditing software;
• Keep the DMS accessible only from within the office network. This removes some benefits of the product, but also makes security much easier to implement. 

It may not be necessary to implement all or even most of these but we do suggest firms at least consider each of these and implement whichever they determine are necessary for them. Firms may also consider Hosted Solutions where they desire a high degree of security but do not wish to implement a security system. Some work may also be done by OpenEngagement for Local Solutions on a consultancy basis.