Platform Change Announcement

Updates to the Listcounts Password Policy and Password Recovery Process

TO: All Listcounts Users
FROM: Information Technology Support
NFocus Consulting, Inc 
support@n-focus.com 

Effective Date: August 14, 2020 

Summary

Beginning August 14, 2020, the password policy and password recovery process in Listcounts will change to adhere with modern secure password practices. Users could previously recover their passwords within the system which provided the user’s current password back to them. Going forward a user will now be able to request a self-service password reset which will allow the user to choose a new password for the Listcounts system. Verification of the user will be accomplished via a time-limited reset token e-mailed to the address on the user’s account. Recovery of existing passwords or manual manipulation of passwords by administrators will no longer be possible. 

Additionally, all users are encouraged to change their passwords on the ListCounts system before August 28, 2020. At that time, any users which have not changed their passwords between Aug 14 and Aug 28 will be required to change their Listcounts password prior to admittance into the system. In the future, the system will require a password change every 365 days. 

New passwords must meet complexity requirements. They must be 8 characters minimum, contain 3 of the 4 character categories (upper case, lower case, numbers, and special characters), and they cannot match any of the previous 10 passwords used on the system. 

Additional Information 

During an annual review of the Listcounts platform it was determined that it no longer met password security best practices. Updates to the platform have been made to address these shortcomings including hardening of the user password storage system and restructuring of the password reset mechanism. The following information describes the new workflows for users and administrators. 

User-initiated reset: Pre-logon 

At the user logon screen, the previous link to “recover password” has been changed to “reset password.” If a user chooses to reset their password on the Listcounts system, they will be prompted for the e-mail address associated with their user account. Entering the e-mail address, solving the CAPTCHA, and clicking the submit button will initiate the password reset process if the e-mail address is correct. The system will send an e-mail message with a one-time use token good for 24 hours which the user may provide on the password reset page to identify themselves to the system. A link in the reset message will provide one-click access to the reset page. 

On the password reset the page, the user will provide a new password to the system. If the password meets the criteria as previously noted, the system will inform the user their password has been successfully changed and the user will be returned to the login page. The user may provide their login information including their new password to access the Listcounts system. 

A confirmation message will be sent to the user to notify them of the password change on their account. 

User-initiated reset: Post-logon 

If the user is already logged into the Listcounts system, the user may reset their password from their account screen. In this case the user will be navigated to the password reset screen where they must enter their current password and their desired password. If the new password meets the password requirements, the password is changed and immediately takes effect.  

Password resets performed after logon do not generate a reset token or a reset e-mail. Upon successful update of the user’s password, a confirmation message will be sent to the user to notify them of the password change on their account. 

Admin-initiated reset 

Administrators may initiate a password reset on a user account through the administrative interface. On a user’s account page, the password field has been replaced with a button to initiate a password reset. If clicked, the system will generate a one-time token good for 24 hours which will be sent to the e-mail address associated with the user’s account. The user must then complete the password reset process as noted above. Administrators no longer have the ability to directly set a user’s password. 

User account lockout 

If a user’s password is older than 365 days or an administrator has manually expired the user’s password, the user will be notified at login that their password is expired and must be changed. The user will not be admitted to the Listcounts system until such time as their password has been successfully reset. 

Abandoned Reset Tokens 

If a user initiates a reset and does not successfully reset their password, the existing password at the time of the reset remains in place and the user account remains active (the user may login). The system does not change a user’s login status at the time a reset is requested. 

If a reset request is made and is not acted upon within 24 hours, the reset token will expire, and a new reset request must be initiated to successfully reset the user’s password. 

Reset tokens are one-time use, linked to the user account requesting the reset, and expire immediately upon redemption.  

If a user or an administrator makes an additional reset request while a reset token is active for the user, the active token is immediately invalidated and replaced with a new token good for 24 hours.


Download as Microsoft Word document: Platform-Change-Announcement-NFocus.docx

Internet Maintenance Outage, October 9

Overnight maintenance activity at an upstream Internet provider has been scheduled for 12:00am EDT on Tuesday, October 9.

NFocus has been alerted that a loss of Internet service should be anticipated during a window of approximately 3 hours after maintenance begins.

NFocus has peering agreements with multiple high-speed providers to ensure fail-over redundancy in the event of such outages. However, there remains a possibility for service interruptions to occur with ResQue® and Listcounts® during this maintenance window.

Please contact your account manager or our support team if you have any questions.

Mapping Services Scheduled System Maintenance

On Saturday, April 29, 2017, mapping services may experience interruptions from 8 am to noon EDT. This is a scheduled outage to allow for hardware updates at our data center to increase performance of mapping services.

We apologize for any inconvenience and will have mapping services available as soon as possible.

Join NFocus at the National Postal Forum in Baltimore

The NFocus team is excited to be attending the upcoming National Postal Forum in Baltimore May 22nd – 24th and we want you to join us!

NFocus has Free One-Day Exhibit Hall Passes (a $50 value) available for the event at the Baltimore Convention Center.  These passes are available for our clients and partners.  Contact your NFocus representative or email sales@n-focus.com to reserve your free pass.

About the forum: the NPF was formed in 1968 in a partnership with the USPS to serve as a central meeting point for the mailing industry.  It is considered the premier mailing industry conference.

Stop by booth #521 to meet the NFocus team and discuss how your business can Grow With Data.  We look forward to seeing you there!