Hardening Security Suggestions

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • vebs
    Junior Member
    • Aug 2016
    • 5
    #1

    Hardening Security Suggestions

    I love the CRM. I admire the effort and commitment put in building the CRM. A few ideas, I have for hardening the security of this amazing CRM:
    1. Brute Force Protection:
      1. Ban Specific account Login for X mins after X failed attempts.
      2. CAPTCHA during login.
    2. Prevent Multiple Device Logins. If user tries to, it will ask to log out of previous device first or wait for session time out.
    3. Password Expiration: Passwords will expire in X days. Users will be required to create a new one (different from the last password).
    4. Password Strength: Set Password Strength of X Characters. Checkbox for Forcing special characters.
    5. Whitelist IPs: Enter whitelisted IPs
    6. Blacklisted IPs: Enter Blacklisted IPs.
    7. 2 Factor Authentication using Google Authenticator or OTP.
    I know these are too many suggestions . But I hope it can be thought of for your long term roadmap. Thanking you once again for the amazing work done.
    Tags: None
    • wtconseil
      Active Community Member
      • Apr 2015
      • 335
      #2
      +1 !!!!

        Comment

        • Clintre
          Junior Member
          • Sep 2016
          • 29
          #3
          Good points and I agree. A CRM like this can hold a whole lot of mission critical and competitive information. There should be options and capabilities to lock it down. Right now it is fairly basic.

            Comment

            • skylabz0rz
              Member
              • Nov 2016
              • 34
              #4
              I also agree with this. Using two form authentication with Google would be a major bonus, along with other features of course.

                Comment

                • donavynelliott
                  Junior Member
                  • Dec 2016
                  • 9
                  #5
                  +1

                  I also want to vouch for a stronger password generator.

                    Comment

                    • rinorway
                      Senior Member
                      • Feb 2016
                      • 180
                      #6
                      About 2FA :

                      With native U2F support in Chrome, incorporating a U2F 2FA might be an option to consider. (Salesforce, Google etc support U2F)
                      U2F keys are cheap (7usd) and all over the place and PHP libraries are available,
                      You can also take the API route, but you will need a standalone auth server https://developers.yubico.com/U2F/Standalone_servers/

                        Comment

                        • rubensolvang
                          Junior Member
                          • Mar 2016
                          • 11
                          #7
                          I welcome the idea of hardening the security, but take issue with suggestion number 3 and 4, as both are discouraged according to the latest NIST recommendations:

                          Originally posted by NIST
                          No more expiration without reason. This is my favourite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily. The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.
                          And:

                          No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”
                          For more information, check out these two articles.

                            Comment

                            • mzingy
                              Junior Member
                              • Sep 2021
                              • 11
                              #8
                              +111111

                                Comment

                                • rabii
                                  #8.1
                                  rabii commented
                                  05-20-2022, 11:30 PM
                                  Editing a comment
                                  Hi Do you know that all the points mentioned above are already implemented into the CRM now. you can check out all these features on admin side
                                  • mzingy
                                    #8.2
                                    mzingy commented
                                    05-21-2022, 11:08 AM
                                    Editing a comment
                                    3,5,6 ?


                                    .
                                  Previous template Next
                                  Working...