When creating new Users in Inteliguide, please avoid defining a password and then sending it over email to the new User. Due to newly discovered security vulnerabilities in the protocols used to transfer email, if the email in question is not encrypted, yet contains plain text credentials and instructions on how to access Inteliguide… it is vulnerable to being read by anyone with the tools and will to do so. This presents a security vulnerability for any system, so we built in ways around forcing Admins into engaging in insecure User Account & Password creation practices.
Recommended: Create New Users Without Passwords
The Password and Password Confirmation fields on the User Add/Edit form is now no longer required. There are two ways in which a User can be created. With or without a password defined. That will determine the content of the Welcome Email sent out to their login email.
- For a User created with a password: A Welcome email will be sent out suggesting the User either contact Management for their password or use the reset feature located off the Inteliguide Login Page
- For a User created without a password: A Welcome email will be sent out with a tokenized (for security) link to a form from which the new User can define their own password.
The second of the two options is the preferable one, is our recommended course of action, and is what we consider to be best practices.
Do NOT Use 'newaccount1'
It was customary in Legacy Inteliguide to create new Users with a flagged password ('newaccount1' by default, but that was a franchise specific setting) that forced a password reset on first login. We highly discourage this practice as there is no similar mechanism in Inteliguide V2 to force a password reset based on an existing password. That means that if this practice carries over from Legacy to V2, there will be multiple users with the same insecure password.
Note: Since password and Account security are so dependent upon reliable email transmission, please have Users add 'inteliguide.net' and 'no-reply@inteliguide.net' to their safe "not spam" list for their respective login email accounts (user@gmail.com, for example)
0 Comments