Phone Lines icon GFI Support

Articles in this section

See more

Password Policy in Kerio Connect

Author: Vladyslav Velychko Updated

Overview

Kerio Connect Administrators can implement a strong complex password requirement, enable password expiration limit, and protect users against password guessing attacks.

Users may not be able to login to their accounts it the weak (easy) password was chosen. That's why it's recommended to follow best practices for securing Kerio Connect user passwords.

 

Prerequisites

Access to Kerio Connect Administration

Solution

Creating Strong User Passwords

Strong user passwords should be long and complex. The following guidelines may help you in advising your users:

  • Passwords should be at least 8 characters long.
  • Passwords should contain all of the following:
    • Lowercase letters
    • Uppercase letters
    • Numbers
    • Special characters
  • Users should change their passwords often.

 

Generating Strong Passwords

Kerio Connect can generate strong passwords for your users:

  1. Go to the Users section.
  2. Select a user and click Edit.
  3. On the General tab, click Generate.

    mceclip1.png
     
  4. Copy the generated password and give it to the user.
  5. Click OK.
    Note: the password change or reset is done without any confirmation message or email.

 

Back to top

 

Requiring Complex Passwords

In Kerio Connect, you can force local users to create strong and complex passwords. Follow the steps in this article on Requesting Complex Passwords for Local Users in Kerio Connect

  

Back to top

 

Enabling Password Expiry

To secure local user passwords, you can enable password expiration. Once this is set, the users are prompted to reset their password at the end of each interval that you defined. See this article on Enabling Password Expiry for Local Users to get more information on the process.

User password changes can be tracked using the manual process described in Monitor Password changes.

 

Back to top

  

Protecting Against Password Guessing Attacks

Kerio Connect can block IP addresses attempts that are suspicious of password guessing attacks. Three unsuccessful attempts in one minute are taken as suspicious. The timeout resets after 5 minutes. Refer to this article on Login Guessing Protection for more information on how to make the necessary settings. 

 

Back to top