Apart from the certificate change and some coding improvements that are not visible to end users, here is a list of visible changes that will make any potential abuse next to impossible:
• The system now requires all users to use strong passwords
• The system now requires users to enter the existing password in order to change it to a new one
• After 10 unsuccessful login attempts, the system will now block the user for 30 minutes
When creating a password for an account in our employee schedule maker, a user is now required to enter a minimum of 6 characters, to use at least one CAPS letter, at least one number and at least one symbol (e.g. %$@!). With such an improved password policy, hacking of accounts is no longer possible.
Entering the existing password when changing it to a new one
This improvement aims to prevent any kind of abuse for those employees or administrators working from corporate offices. How easy would it be for another coworker to approach his colleague’s work station and change his password while that person is not looking – just for pranking purposes? Now, that’s impossible. When trying to change the account password, the system also requires each user to enter the existing password in order to set the new one.
Brute force hacking prevention
In order to prevent any kind of so-called “brute force” login attempts with dictionary hacking scripts trying to guess any user’s password over and over until they succeed, our engineering and development teams implemented a limit for the number of unsuccessful login attempts. If any user tries to login to the system with at least 10 or more unsuccessful attempts, the system will automatically prevent any further attempts for the period of 30 minutes.