No announcement yet.

user password policy suggestion

  • Filter
  • Time
  • Show
Clear All
new posts

  • user password policy suggestion

    Hi support,

    To enhance the security, below are the user password policy suggestion
    1. reset the password every x days (e.g. 90)
    2. Password history requirements


  • #2
    Password policies should be determined by a system administrator and NOT by the developers.

    What for one installation would be good policy for others would be unnecessary and annoying for its users.

    If the development team wants to entertain this suggestion, I would highly recommend that it is implemented with metadata options to allow the administrator to set its own policies.


    • #3
      Hi telecastg,

      we are on healthcare, so imagine the confidential data..
      if i say to user "you must change password each 90day" .. user kill me

      2FA enable, and "Only one auth token per user" (in setting in espocrm).

      the request is not bad, but how "user" accept ?

      Best Regards


      • telecastg
        telecastg commented
        Editing a comment
        Hi item,
        Modern secure applications like bank portals in the US use 2FA,as you suggest, which is a lot more secure than passwords which end up being random strings, written in a piece of paper as pointed out by DashingUno

    • #4
      I agree with item, mandatory password change policy leads to users forgetting their own passwords because they change it so often, so usually they resort to writing it down somewhere, like on a piece of paper and sticking it to their monitor. Which is a giant security vulnerability in my opinion.
      So 2FA and limited auth tokes would probably be your best bet.


      • #5
        I hate website that force me to do this.

        But for certain business it is a necessary function. Not mines though.

        But good luck with the suggestions. But you may need to write more to convince Yuri (the developer)​


        • DashingUno
          DashingUno commented
          Editing a comment
          As an extra security measure you can also take a few different approaches on the server side, we currently use both

          1) Gate your entire CRM under .htaccess, you can even reuse the same password for all users, so before you could login into the CRM, you still need to pass .htaccess authorization

          Yes it's janky, yes its old, but its a for sure deterrent for those who are just snooping around your domain

          2) Make it a pseudo intranet. Gate it behind a VPN/Tailscale/Zerotier anything like that, even OpenVPN will do (remember that you don't have to force users to use your VPN connection to access all of the web, you can limit it to 1 website or IP.
          You can even make it public, with .htaccess "Deny All'/Allow VPN internal IP, and DNS Rewrites on server side, so it server user local IP of Espo under your public domain name - that way you still retain your SSL certs.

        • item
          item commented
          Editing a comment

          I do this too :

          nginx: How To Block Visitors By Country With The GeoIP Module (Debian/Ubuntu) This tutorial explains how to use the GeoIP module with nginx to b...

          So, only Belgium IP can connect. it’s 100% secure, no but it’s exist and implemented