Password policy in Kerio Connect
Article Number: 1440 | Last Updated: Mon, Jan 4, 2016 12:55 PM
About password policy
To secure users and their passwords in Kerio Connect:
Creating strong user passwords
Strong user passwords should be long and complex. The following guidelines may help you in advising your users:
Passwords should be at least 8 characters long.
Passwords should contain all of the following:
Users should change their password often.
You can also read this Wikipedia article for more information.
Generating strong passwords
Kerio Connect can generate strong passwords for your users:
Requiring complex passwords (for local users)
In Kerio Connect, you can force local users to create strong and complex passwords.
To configure complex passwords for individual domains:
From now on, each time local users changes their password in Kerio Connect Client, they must create a password which complies with the Kerio Connect's complexity requirements.
Remember to enable users to change their passwords in Kerio Connect Client.
This also applies when administrators change passwords via the administration interface.
Enabling password expiry (for local users)
To secure local user passwords, you can enable password expiration.
Any change to these settings (checking/unchecking the option) resets the counter for password expiry.
Notifying about the expiration
Kerio Connect sends notifications to users before their password expires. Kerio Connect sends the notifications 21, 14 and 7 days before expiration, and then every day until the password expires.
Users must change their password in Kerio Connect Client.
If users fail to change their password, they cannot login to their account and must contact their administrator (who changes the password for them in their user settings).
If an administrator password expires, the administrator can login to the administration interface to change their password.
Protecting against password guessing attacks
Kerio Connect can block IP addresses suspicious of password guessing attacks (ten unsuccessful attempts in one minute).
When an account is blocked, user cannot log in. Kerio Connect unlocks the blocked accounts after 5 minutes. For immediate unlocking (throughout all the domains), click Unlock All Accounts Now.
This action is not identical with temporary disabling user accounts.