To secure users and their passwords in Kerio Connect:
- Advise users to create strong passwords
- Require complex passwords (for local users)
- Enable password expiry (for local users)
- Protect against login guessing
Creating strong user passwords
Strong user passwords should be long and complex. The following guidelines may help you in advising your users:
- Long
- Passwords should be at least 8 characters long.
- Complex
- Passwords should contain all of the following:
- Lowercase letters
- Uppercase letters
- Numbers
- Special characters
Users should change their password often.
Generating strong passwords
Kerio Connect can generate strong passwords for your users:
- Go to the Users section.
- Select a user and click Edit.
- On the General tab, click Generate.
- Copy the generated password and give it to user.
- Click OK.
Requiring complex passwords (for local users)
In Kerio Connect, you can force local users to create strong and complex passwords.
Complex password:
- Must be at least 8 characters long,
- Must include at least 3 types of characters (lowercase, uppercase, numbers, symbols),
- Cannot include user's domain and username, and any part of user's fullname (longer than 2 characters).
To configure complex passwords for individual domains:
- In the administration interface, go to the Configuration > Domains section.
- Select a domain and click Edit.
- On the Security tab, enable the User passwords must meet complexity requirements option.
- Click OK.
From now on, each time local users changes their password in Kerio Connect Client, they must create a password which complies with the Kerio Connect's complexity requirements.
NOTE
Remember to enable users to change their passwords in Kerio Connect Client.
This also applies when administrators change passwords via the administration interface.
Enabling password expiry (for local users)
To secure local user passwords, you can enable password expiration.
- In the administration interface, go to the Configuration > Domains section.
- Select a domain and click Edit.
- On the Security tab, enable the User must change password every option.
- Set the number of days after which users must change their password.
- Click OK.
NOTE
Any change to these settings (checking/unchecking the option) resets the counter for password expiry.
Notifying about the expiration
Kerio Connect sends notifications to users before their password expires. Kerio Connect sends the notifications 21, 14 and 7 days before expiration, and then every day until the password expires.
Users must change their password in Kerio Connect Client.
If users fail to change their password, they cannot login to their account and must contact their administrator (who changes the password for them in their user settings).
If an administrator password expires, the administrator can login to the administration interface to change their password.
Protecting against password guessing attacks
Kerio Connect can block IP addresses suspicious of password guessing attacks (ten unsuccessful attempts in one minute).
- Go to section Configuration > Security > the Security Policy tab.
- Select the Block IP addresses suspicious of password guessing attacks option.
NOTE
IP address is blocked for individual services. If POP3 is blocked, attacker can attempt logging via IMAP.
- You can select a group of trustworthy IP addresses.
- To block all services, check option Block user accounts probably targeted by password guessing to lock the affected accounts.
- Click OK.
When an account is blocked, user cannot log in. Kerio Connect unlocks the blocked accounts after 5 minutes. For immediate unlocking (throughout all the domains), click Unlock All Accounts Now.
This action is not identical with temporary disabling user accounts.