Announcement

Collapse
No announcement yet.

Hardening Security Suggestions

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hardening Security Suggestions

    I love the CRM. I admire the effort and commitment put in building the CRM. A few ideas, I have for hardening the security of this amazing CRM:
    1. Brute Force Protection:
      1. Ban Specific account Login for X mins after X failed attempts.
      2. CAPTCHA during login.
    2. Prevent Multiple Device Logins. If user tries to, it will ask to log out of previous device first or wait for session time out.
    3. Password Expiration: Passwords will expire in X days. Users will be required to create a new one (different from the last password).
    4. Password Strength: Set Password Strength of X Characters. Checkbox for Forcing special characters.
    5. Whitelist IPs: Enter whitelisted IPs
    6. Blacklisted IPs: Enter Blacklisted IPs.
    7. 2 Factor Authentication using Google Authenticator or OTP.
    I know these are too many suggestions . But I hope it can be thought of for your long term roadmap. Thanking you once again for the amazing work done.

  • #2
    +1 !!!!

    Comment


    • #3
      Good points and I agree. A CRM like this can hold a whole lot of mission critical and competitive information. There should be options and capabilities to lock it down. Right now it is fairly basic.

      Comment


      • #4
        I also agree with this. Using two form authentication with Google would be a major bonus, along with other features of course.

        Comment


        • #5
          +1

          I also want to vouch for a stronger password generator.

          Comment


          • #6
            About 2FA :

            With native U2F support in Chrome, incorporating a U2F 2FA might be an option to consider. (Salesforce, Google etc support U2F)
            U2F keys are cheap (7usd) and all over the place and PHP libraries are available,
            You can also take the API route, but you will need a standalone auth server https://developers.yubico.com/U2F/Standalone_servers/

            Comment


            • #7
              I welcome the idea of hardening the security, but take issue with suggestion number 3 and 4, as both are discouraged according to the latest NIST recommendations:

              Originally posted by NIST
              No more expiration without reason. This is my favourite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily. The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.
              And:

              No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.”
              For more information, check out these two articles.

              Comment


              • #8
                +111111

                Comment


                • rabii
                  rabii commented
                  Editing a comment
                  Hi Do you know that all the points mentioned above are already implemented into the CRM now. you can check out all these features on admin side

                • mzingy
                  mzingy commented
                  Editing a comment
                  3,5,6 ?


                  .
              Working...
              X