Lancaster, OH, USA             (740) 654-5809
     
The Data Agency
sales@n-focus.com

Platform Change Announcement

Posted on by Rich Bininger

Updates to the Listcounts Password Policy and Password Recovery Process

TO: All Listcounts Users
FROM: Information Technology Support
NFocus Consulting, Inc 
support@n-focus.com 

Effective Date: August 14, 2020 

Summary

Beginning August 14, 2020, the password policy and password recovery process in Listcounts will change to adhere with modern secure password practices. Users could previously recover their passwords within the system which provided the user’s current password back to them. Going forward a user will now be able to request a self-service password reset which will allow the user to choose a new password for the Listcounts system. Verification of the user will be accomplished via a time-limited reset token e-mailed to the address on the user’s account. Recovery of existing passwords or manual manipulation of passwords by administrators will no longer be possible. 

Additionally, all users are encouraged to change their passwords on the ListCounts system before August 28, 2020. At that time, any users which have not changed their passwords between Aug 14 and Aug 28 will be required to change their Listcounts password prior to admittance into the system. In the future, the system will require a password change every 365 days. 

New passwords must meet complexity requirements. They must be 8 characters minimum, contain 3 of the 4 character categories (upper case, lower case, numbers, and special characters), and they cannot match any of the previous 10 passwords used on the system. 

Additional Information 

During an annual review of the Listcounts platform it was determined that it no longer met password security best practices. Updates to the platform have been made to address these shortcomings including hardening of the user password storage system and restructuring of the password reset mechanism. The following information describes the new workflows for users and administrators. 

User-initiated reset: Pre-logon 

At the user logon screen, the previous link to “recover password” has been changed to “reset password.” If a user chooses to reset their password on the Listcounts system, they will be prompted for the e-mail address associated with their user account. Entering the e-mail address, solving the CAPTCHA, and clicking the submit button will initiate the password reset process if the e-mail address is correct. The system will send an e-mail message with a one-time use token good for 24 hours which the user may provide on the password reset page to identify themselves to the system. A link in the reset message will provide one-click access to the reset page. 

On the password reset the page, the user will provide a new password to the system. If the password meets the criteria as previously noted, the system will inform the user their password has been successfully changed and the user will be returned to the login page. The user may provide their login information including their new password to access the Listcounts system. 

A confirmation message will be sent to the user to notify them of the password change on their account. 

User-initiated reset: Post-logon 

If the user is already logged into the Listcounts system, the user may reset their password from their account screen. In this case the user will be navigated to the password reset screen where they must enter their current password and their desired password. If the new password meets the password requirements, the password is changed and immediately takes effect.  

Password resets performed after logon do not generate a reset token or a reset e-mail. Upon successful update of the user’s password, a confirmation message will be sent to the user to notify them of the password change on their account. 

Admin-initiated reset 

Administrators may initiate a password reset on a user account through the administrative interface. On a user’s account page, the password field has been replaced with a button to initiate a password reset. If clicked, the system will generate a one-time token good for 24 hours which will be sent to the e-mail address associated with the user’s account. The user must then complete the password reset process as noted above. Administrators no longer have the ability to directly set a user’s password. 

User account lockout 

If a user’s password is older than 365 days or an administrator has manually expired the user’s password, the user will be notified at login that their password is expired and must be changed. The user will not be admitted to the Listcounts system until such time as their password has been successfully reset. 

Abandoned Reset Tokens 

If a user initiates a reset and does not successfully reset their password, the existing password at the time of the reset remains in place and the user account remains active (the user may login). The system does not change a user’s login status at the time a reset is requested. 

If a reset request is made and is not acted upon within 24 hours, the reset token will expire, and a new reset request must be initiated to successfully reset the user’s password. 

Reset tokens are one-time use, linked to the user account requesting the reset, and expire immediately upon redemption.  

If a user or an administrator makes an additional reset request while a reset token is active for the user, the active token is immediately invalidated and replaced with a new token good for 24 hours.


Download as Microsoft Word document: Platform-Change-Announcement-NFocus.docx