Security update- more information

Thank you to all of you who have taken the time to provide feedback on recent events. In line with that feedback, we have made a     number of changes to increase security of our systems. The major change is in how customers and partners login and change credentials.

Going forward, in order to change a passphrase and password you will need to go to login.gradwell.com (you can no longer change passphrases or passwords through the Gradwell Control Panel). We have made this change to provide a central place for handling login information and the process forces a password change if it is the first time you login using this method. This process is called Single Sign On (SSO).

If you have not setup a passphrase, the SSO system will force you to set one at the same time as you change your password. If you have a passphrase, you will need to use three characters from the phrase to validate a password change.

Having setup a passphrase, you will need to use three passphrase characters to validate each login you make (unless you tick remember me which will be valid for 30 days on that device).

As temporary measure, we have removed the functionality to change your password and passphrase from the portal; this means that the portal cannot be used as a work around.

When changes are made to account details, the IP ACL or call barring rules in the VoIP CP, an email notification is sent to the master user account.

We have received a lot of comments, most of which have been negative about the requirement to reset credentials every 3 months; we have now removed this requirement.

The portal will use SSO as its login system. When setting a passphrase, we will offer a drop down of three suggested hints and an option for one of your own. This should help make passphrase answers a bit more standardised.

We also plan to use SSO for our partners.

The previous process for password reminders included contacting Gradwell in order to reset passwords; this will no longer be possible and having clicked on the Reset button within the Control panel, the customer will receive an email in order to reset passwords.

You’ve been asking us for passwords with special characters for some time and we are working to that end. We anticipate the use of special character passwords in the following few days.

2012-09-11T11:43:26+00:00

About the Author:

One Comment

  1. Anonymous 11th September 2012 at 4:08 pm - Reply

    I really don’t like the way I have to allow anonymous inbound SIP in Asterisk in order to use Gradwell’s outbound SIP trunks.
    I see so many spam attacks and floods because of that single option,
    e.g.: 30 telephones all constantly ringing until an admin blocks the IP
    and 100+ empty voicemail messages in mailboxes. You should at least provide information as to which IP range we need to allow anonymous inbound SIP from.

    I’m always
    concerned by systems that DON’T let you use special characters or those
    that have a maximum permissable password length. That instantly signals
    to me that passwords aren’t being hashed early enough in the signin
    procedure, or aren’t being hashed at all. If a password is being hashed
    correctly, it shouldn’t matter what data someone enters as their
    password.

    Password reset immediately screams someone’s been able to dump a password table from your systems and passwords weren’t hashed or were hashed with an old/superceeded algorithm. And you almost certainly weren’t salting/peppering the passwords.

Leave A Comment

Request a quote