Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
Internet Password Security Parity with Notes Password Security Policy
Many Domino applications are now presented to the user through the browser. Many directories are strictly "Internet Users". IBM needs to invest in improving Internet Password Policy Features such that they are at least as good as Notes Password Policy Features. Administrators must be bale to show that Internet Users are not second class citizens in the Domino world.
The current posts I could find are:
- Add Password Management capabilities (Expiration) for iNotes/internet users who do not utilize notes clients. - Password Security / Policy for Internet MUST track history for specified reuse - Custom Internet Password Policy Enforcement - Check last 3 password during iNotes/Webmail password change or reset
-Need to customise the password expiration messaging
- List of Internet Users that are being expired.
Suggestions within this post:
- Notification Password will Expire in 'x' Days: This specific post was to be intended to address the fact that an Internet Only user cannot get a notification that their password is going to expire. They ONLY get the Change Password Screen when their password has expired. It seems odd that Domino can recognize an expired password once it has expired but cannot notify a browser user that it will expire in 'x' days. This limitation has been confirmed by IBM Domino Support.
- Minimum Password Age: Many secure systems do not let the user change the password multiple times a day. This is seen as a security risk or an automated attack.
- Initial Setup Expiration: When a new user is setup with an initial password they need to login in 'x' days. This is different than forcing a user to change their password every 'y' days. Audit/Security wants to make sure new users make the initial login to validate they "got" the initial password.
- Notification of Password Change: This is being required by many systems as an insurance that the "real" owner is notified of a password change in case their account get hacked.
Can IBM please remove the second class status of Internet Password Security (as compared to Notes Client Password Security) and make the Password Security Policy Enforcement more encompassing to include all the items above and consider any items not included above and are in the Policy Settings document to see if they can be included (technically)?
Note: Other users should add their needs for Internet Password Security as comments to this Post. I will incorporate them into the main post.