#dominoforever | Product Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Internet Password Security Parity with Notes Password Security Policy

Many Domino applications are now presented to the user through the browser.  Many directories are strictly "Internet Users".  IBM needs to invest in improving Internet Password Policy Features such that they are at least as good as Notes Password Policy Features.  Administrators must be bale to show that Internet Users are not second class citizens in the Domino world.

The current posts I could find are:

- Add Password Management capabilities (Expiration) for iNotes/internet users who do not utilize notes clients.
- Password Security / Policy for Internet MUST track history for specified reuse
- Custom Internet Password Policy Enforcement
- Check last 3 password during iNotes/Webmail password change or reset

-Need to customise the password expiration messaging

- List of Internet Users that are being expired.

Suggestions within this post:

- Notification Password will Expire in 'x' Days:  This specific post was to be intended to address the fact that an Internet Only user cannot get a notification that their password is going to expire.  They ONLY get the Change Password Screen when their password has expired.  It seems odd that Domino can recognize an expired password once it has expired but cannot notify a browser user that it will expire in 'x' days.  This limitation has been confirmed by IBM Domino Support.

- Minimum Password Age:  Many secure systems do not let the user change the password multiple times a day.  This is seen as a security risk or an automated attack.

- Initial Setup Expiration:  When a new user is setup with an initial password they need to login in 'x' days.  This is different than forcing a user to change their password every 'y' days.  Audit/Security wants to make sure new users make the initial login to validate they "got" the initial password.

- Notification of Password Change: This is being required by many systems as an insurance that the "real" owner is notified of a password change in case their account get hacked.

Can IBM please remove the second class status of Internet Password Security (as compared to Notes Client Password Security) and make the Password Security Policy Enforcement more encompassing to include all the items above and consider any items not included above and are in the Policy Settings document to see if they can be included (technically)?

Note:  Other users should add their needs for Internet Password Security as comments to this Post.  I will incorporate them into the main post.

  • Guest
  • Sep 24 2018
  • Assessment
  • Attach files
  • Guest commented
    9 Sep, 2020 10:22am

    I would like to suggest that the internet password security also includes setting minimum password length, enforcing Upper and Lower case, enforcing Special Characters, enforcing Numbers in the password.

    Also if possible can multi factor authentication be developed at the same time (I have been advised by support that this has also been requested as a development enhancement).

  • Guest commented
    4 Sep, 2020 12:25am

    The same options that are available for the Notes password need to be available for the Internet password, considering that there are web browser only clients.

  • Guest commented
    19 Feb, 2019 03:57am

    Customer requested an additional feature:

    If the user enters a password that is not meeting the complexity requirements, it will be showing the preset complexity (requirements for password to be accepted), the same when changing password expired on Notes Client


  • Guest commented
    22 Jan, 2019 08:46am

    As long as passwords are used, all of the above makes sense.

    But to be honest, I would prefer to get rid of passwords completely, and switch to token-based authentication.

  • Guest commented
    2 Oct, 2018 04:20pm

    Not sure if you're also interested in user self-service password reset capabilities?