About password policy
To secure users and their passwords in Kerio Connect:
-
require complex passwords (for local users)
-
enable password expiry (for local users)
Creating strong user passwords
Strong user passwords should be long and complex. The following guidelines may help you in advising your users:
Passwords should be at least 8 characters long.
Passwords should contain all of the following:
-
lowercase letters
-
uppercase letters
-
numbers
-
special characters
Users should change their password often.
You can also read this Wikipedia article for more information.
Generating strong passwords
Kerio Connect can generate strong passwords for your users:
-
Go to section Users and double-click a user.
-
On tab General, click the Generate button.
-
Copy the generated password and give it to user.
-
Save the settings.
Requiring complex passwords (for local users)
In Kerio Connect, you can force local users to create strong and complex passwords.
Complex password:
-
must be at least 8 characters long,
-
must include at least 3 types of characters (lowercase, uppercase, numbers, symbols),
-
cannot include user's domain and username, and any part of user's fullname (longer than 2 characters).
The settings are configured per domain.
-
In the administration interface, go to section Configuration → Domains.
-
Double-click a domain and go to tab Security.
-
Enable option User passwords must meet complexity requirements.
-
Confirm.
From now on, whenever a local user changes their password in Kerio Connect Client, they will have to create new password which complies with Kerio Connect's complexity requirements.
Remember to enable users to change their passwords in Kerio Connect Client.
Enabling password expiry (for local users)
To secure local user passwords, you can enable password expiration.
-
In the administration interface, go to section Configuration → Domains.
-
Double-click a domain and go to tab Security.
-
Enable option Enforce user password expiration after.
-
Set the number of days after which users will have to change their password.
-
Confirm.
Any change to these settings (checking/unchecking the option) will reset the counter for password expiry.
Notifying about expiration
Kerio Connects sends notifications to users before their password expires. The notifications are sent 21, 14 and 7 days before expiration, and then every day until the password expires.
Users have to change their password in Kerio Connect Client.
If the user fails to change their password, they will not be able to login to their acount and will have to contact their administrator (who changes the password for them in their user settings).
If an administrator password expires, the administrator will be able to login to the administration interface to change their password.
Protecting against password guessing attacks
Kerio Connect can block IP addresses suspicious of password guessing attacks (ten unsuccessful attempts in one minute).
-
Go to section Configuration → Security → tab Security Policy (Configuration → Advanced Options → tab Security Policy for Kerio Connect 8.1 and older).
-
Check option Block IP addresses suspicious of password guessing attacks.
IP address is blocked for individual services. If POP3 is blocked, attacker can attempt logging via IMAP.
-
You can select a group of trustworthy IP addresses.
-
To block all services, check option Block user accounts probably targeted by password guessing to lock the affected accounts.
-
Save the settings.
When an account is blocked, user cannot log in. Kerio Connect unlocks the blocked accounts after 5 minutes. For immediate unlocking (throughout all the domains), click Unlock All Accounts Now.
This action is not identical with temporary disabling user accounts.
