More control over password requirements and longer/complex passwords allowed
We are having HUGE issues with the 90 day password change requirement AND the short 16 characters allowed.
TheNational Institute of Standards and Technology (NIST) changed their guidelines in 2017 to say that more frequent password changes do not help, but longer passwords do. LastPass, Dashlane, etc. all state the same.
RedTail has some of our clients most private information, but the restriction of 90 days and 16 characters is ridiculous. Change it to 40 characters and 180 or 365 days.
This situation will only get worse - not better - as we move forward and simply staying at the status quo is not beneficial.
The suggestion may be planned, but there is no timeline on this feature being added. This suggestion is remaining open and can continue to gather votes and comments!
How is this still not done? This should be extremely easy implementation, and would make our databases more secure.
Nikki Wetzel commented
The current "industry standards" that you claim to have for password security are outdated. In your policy the Microsoft password requirements are even more robust than the options that you give users for client data in the CRM. This MUST be updated in order to keep the integrity of our client's information safe. Being a leader in this industry means staying on top of keeping clients information safe. This is a HUGE issue and needs to be resolved more timely than "may be planned".
Adding to this - the NIST guidelines specifically discourage periodic password rotations entirely, advising that forced password resets should only be performed when there is evidence of an account compromise.
From section 22.214.171.124 of NIST 800-63b:
"Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."
At least allow up to opt out of periodic password rotations. As others, including NIST, have said, it just makes passwords weaker.
Carl Goodin commented
Microsoft has determined that requiring passwords to expire is a waste of time. See below. Please allow users to choose password expiration periods from 90 days to never.
Since the CRM has quite literally become the "hub" of all client information, you would think that you need it to become more and more secure. The Redtail limit of 16 characters is somewhat "short" to say the least. I would suggest a maximum of at least 24 characters if not 40 characters with all various letters, numbers, and symbols allowed.
With the use of password managers growing, using longer passwords that are randomly generated will be good for all involved.
Agreed. There should at least be an administrative function that allows the administrator to set the number of days between new passwords. Including turning off the function altogether.
The more frequently we must change passwords, the weaker the passwords must become. Our firm has a password policy that gives us very strong passwords on a certain interval - but never this frequently.
Additionally, for having such a strict policy of changing passwords, it is fairly restrictive what we can do. Why no passwords over 16 characters if we are going to change them every 90 days? It is almost as if RedTail WANTS its customers to have weak security!
As financial advisors, we already have a plethora of usernames and passwords that we have to remember for our daily work. For our staff and advisors to have to update and remember their new password every 90 days is quite frustrating, especially in something that we use daily. I understand it is for "security reasons," but I've not encountered or heard of another CRM that requires you to update your password every 90 days, there are other ways of providing security and it would be great if this was an optional feature that we could disable.