Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

119 VOTE
Status Assessment
Workspace Domino
Categories Security
Created by Guest
Created on Sep 24, 2018

Internet Password Security Parity with Notes Password Security Policy

Many Domino applications are now presented to the user through the browser.  Many directories are strictly "Internet Users".  IBM needs to invest in improving Internet Password Policy Features such that they are at least as good as Notes Password Policy Features.  Administrators must be bale to show that Internet Users are not second class citizens in the Domino world.

The current posts I could find are:

- Add Password Management capabilities (Expiration) for iNotes/internet users who do not utilize notes clients.
- Password Security / Policy for Internet MUST track history for specified reuse
- Custom Internet Password Policy Enforcement
- Check last 3 password during iNotes/Webmail password change or reset

-Need to customise the password expiration messaging

- List of Internet Users that are being expired.

Suggestions within this post:

- Notification Password will Expire in 'x' Days:  This specific post was to be intended to address the fact that an Internet Only user cannot get a notification that their password is going to expire.  They ONLY get the Change Password Screen when their password has expired.  It seems odd that Domino can recognize an expired password once it has expired but cannot notify a browser user that it will expire in 'x' days.  This limitation has been confirmed by IBM Domino Support.

- Minimum Password Age:  Many secure systems do not let the user change the password multiple times a day.  This is seen as a security risk or an automated attack.

- Initial Setup Expiration:  When a new user is setup with an initial password they need to login in 'x' days.  This is different than forcing a user to change their password every 'y' days.  Audit/Security wants to make sure new users make the initial login to validate they "got" the initial password.

- Notification of Password Change: This is being required by many systems as an insurance that the "real" owner is notified of a password change in case their account get hacked.

Can IBM please remove the second class status of Internet Password Security (as compared to Notes Client Password Security) and make the Password Security Policy Enforcement more encompassing to include all the items above and consider any items not included above and are in the Policy Settings document to see if they can be included (technically)?

Note:  Other users should add their needs for Internet Password Security as comments to this Post.  I will incorporate them into the main post.

  • Attach files
  • Guest
    Reply
    |
    Aug 22, 2023

    At this point I need the Domino (web sites) to handle AD Azure SSO, Passkey and other (leading) industry MFA solutions. I agree that getting away from Domino HTTP password authentication is a good idea.

    It is possible that if the Enterprise is not moving to an SSO (AD Azure, Passkey or other such environment), and the user requires a Notes ID for other reasons, then using that ID could be a possible scenarion.

  • Admin
    Thomas Hampel
    Reply
    |
    Aug 22, 2023

    Our intention is to move away from internet passwords and use Notes ID passwords (and IDVault) for all users. Of course this idea must go along with simplifying the management of ID files and the user management process.

  • Guest
    Reply
    |
    Sep 9, 2020

    I would like to suggest that the internet password security also includes setting minimum password length, enforcing Upper and Lower case, enforcing Special Characters, enforcing Numbers in the password.

    Also if possible can multi factor authentication be developed at the same time (I have been advised by support that this has also been requested as a development enhancement).

  • Guest
    Reply
    |
    Sep 4, 2020

    The same options that are available for the Notes password need to be available for the Internet password, considering that there are web browser only clients.

  • Guest
    Reply
    |
    Feb 19, 2019

    Customer requested an additional feature:

    If the user enters a password that is not meeting the complexity requirements, it will be showing the preset complexity (requirements for password to be accepted), the same when changing password expired on Notes Client

     

  • Guest
    Reply
    |
    Jan 22, 2019

    As long as passwords are used, all of the above makes sense.

    But to be honest, I would prefer to get rid of passwords completely, and switch to token-based authentication.

  • Guest
    Reply
    |
    Oct 2, 2018

    Not sure if you're also interested in user self-service password reset capabilities?

    https://domino.ideas.aha.io/ideas/DOMINO-I-176