user password policy suggestion

Hi,

I do this too :



So, only Belgium IP can connect. it’s 100% secure, no but it’s exist and implemented

As an extra security measure you can also take a few different approaches on the server side, we currently use both

1) Gate your entire CRM under .htaccess, you can even reuse the same password for all users, so before you could login into the CRM, you still need to pass .htaccess authorization

Yes it's janky, yes its old, but its a for sure deterrent for those who are just snooping around your domain

2) Make it a pseudo intranet. Gate it behind a VPN/Tailscale/Zerotier anything like that, even OpenVPN will do (remember that you don't have to force users to use your VPN connection to access all of the web, you can limit it to 1 website or IP.
You can even make it public, with .htaccess "Deny All'/Allow VPN internal IP, and DNS Rewrites on server side, so it server user local IP of Espo under your public domain name - that way you still retain your SSL certs.

Hi item,
Modern secure applications like bank portals in the US use 2FA,as you suggest, which is a lot more secure than passwords which end up being random strings, written in a piece of paper as pointed out by DashingUno

I hate website that force me to do this.

But for certain business it is a necessary function. Not mines though.

But good luck with the suggestions. But you may need to write more to convince Yuri (the developer)​

I agree with item, mandatory password change policy leads to users forgetting their own passwords because they change it so often, so usually they resort to writing it down somewhere, like on a piece of paper and sticking it to their monitor. Which is a giant security vulnerability in my opinion.
So 2FA and limited auth tokes would probably be your best bet.

Hi telecastg,

we are on healthcare, so imagine the confidential data..
if i say to user "you must change password each 90day" .. user kill me

2FA enable, and "Only one auth token per user" (in setting in espocrm).

the request is not bad, but how "user" accept ?

Best Regards

Password policies should be determined by a system administrator and NOT by the developers.

What for one installation would be good policy for others would be unnecessary and annoying for its users.

If the development team wants to entertain this suggestion, I would highly recommend that it is implemented with metadata options to allow the administrator to set its own policies.