cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Email Security Policy - Force email password changes

MikeDVB shared this idea 8 years ago
Open Discussion

cPanel has the option to force a change of cPanel/WHM passwords on a periodic basis, but there is no implementation currently for email.


I would like the option to force email passwords similar to how it's implemented for cPanel/WHM. I do understand that the biggest issue with this is that many don't use webmail and would need to somehow be notified in their mail client.


I have a couple of ideas:

1. Have the system send them an email at the address letting them know that their password will be expiring soon, and that they need to log into webmail or their cPanel and create a new one. The downside to this is that it could be interpreted as phishing or completely ignored.

2. When the password change needs to happen, sending a verbose error to the mail client. I.e. when they try to check or send mail - the mail server sends an error message to the client letting them know their password is expired and needs to be updated. It may want to include 'Please contact support if you need assistance.


As far as 1. - assuming they check their mail periodically it would work if people didn't think it was spam/junk/phishing.


As far as 2. - This would rely upon the mail client displaying the error to the user - I'm not sure how consistent mail clients are at doing this.


Admittedly I don't write MTAs, POP3 or IMAP daemons, or mail clients - so 2. may not even be an option, or it could possibly be a combination of 1 and 2.


Perhaps others will have more ideas.

Best Answer
photo

Just wanted to give you guys a quick update. It's on our backlog to take care of this, but we haven't assigned it to a version yet. As soon as we do I'll be back to let you know!

Comments (16)

photo
2

Would like the option to force email password updates for individual accounts. When we have spam issues with an account, changing the password, and then forcing them to change it on the next login would keep people from using the same password that was already compromised.

photo
1

I share the same concerns...

this feature needs to be looked into.

photo
3

I agree 100% this feature is a much much needed one.


I am having serious issues with my customer's emails being hacked.


We have forced a password change for everyone to make them at least 80/100 strong, but if they were forced to change it periodically it would be ideal.


Please cPanel, we need much better control. Password hacking is on the increase, please help us to offer an image of our hosting services as trustworthy, reliable and security-conscious.

photo
1

Please review this and get it in the queue!

photo
1

this would be a huge mistake. forcing regular password resets makes passwords harder and harder to remember. they must be written down somewhere.. and become vulnerable to theft. users should be left to change their passwords as and when, and IF they THEMSELVES choose. it should not be forced upon them by a gung ho systems developer

photo
1

adrian close wrote:

this would be a huge mistake. forcing regular password resets makes passwords harder and harder to remember. they must be written down somewhere.. and become vulnerable to theft. users should be left to change their passwords as and when, and IF they THEMSELVES choose. it should not be forced upon them by a gung ho systems developer
You wouldn't be saying that if your users' passwords kept getting compromised. This can be an option that is enabled as needed. No one is saying it should be implemented by default.

photo
1

max_payne wrote:

You wouldn't be saying that if your users' passwords kept getting compromised. This can be an option that is enabled as needed. No one is saying it should be implemented by default.
Totally mx_payne. I'm creating emails for people who receive their pay stubs via email at a separate, non-cPanel system. We're migrating. And I would either need to ask for their passwords and correlate the password with the email as I create emails or create unique emails and notify them of the new email password in advance of the switch. WAY SMARTER would be to have the ability to force a password change upon login. That way, I can generate the same password for everyone, email everyone and say - asap, login and set a secure password.

photo
1

I do agree. I am having the SPAM problems this past two days and it'aint funny.

Force Password Change is the way to go!

regards.

photo
1

As a support person, this is a needed feature - too many suspensions due to people using crappy passwords and not being forced to use secure and frequently changed email passwords. This isn't about email customer convenience, it's about preserving the integrity of email servers, IP's and minimizing spamming.

photo
1

Hi all! I just brought this request to the attention of the Product Owner who handled all of the changes to the User Manager in v54 and v56 (which you can read a bit about here: https://blog.cpanel.com/password-reset-v56/ ). He's going to talk to his team and see if we can get this added to the roadmap or backlog.

photo
1

I think we would use this feature only when we communicate a new password to a user, to ensure that they have to change their password, as anyone should when it has been sent by e-mail

photo
1

How is it that after 3 years, this is still not implemented? This is a critical issue and must be implemented.


I realize that cPanel team is busy and all, but come on guys. From a security standpoint, not having this is just bad.

Forcing the account owner to change a password does nothing if they can't also be forced to change their email passwords, whih are likely just as bad!

photo
1

Just wanted to give you guys a quick update. It's on our backlog to take care of this, but we haven't assigned it to a version yet. As soon as we do I'll be back to let you know!

photo
3

When setting a new password, please do not allow any previous passwords to be used.

photo
1

This idea is a good one and I like it. An email security policy should be necessary. There shouldn't be any distraction as we are using effective email marketing for e-commerce etc.

photo
2

Just wondered if ths feature was still being considered?

Leave a Comment
 
Attach a file