Dear HarmonySite administrator,
Some new options available in the HarmonySite software that should help with your website security.
None of these is enabled by default. Each one needs to be manually enabled - either by you or by us.
1. Logging of logins and logouts
It is now possible for the system to record/log every login and logout event in the website, including successful logins, failed logins (wrong password, etc), hackers attempting to log in with random usernames and passwords, and session-timeout logouts (see below).
If you would like this option enabled in your HarmonySite, do the following...
- Log into the Admin Dashboard with Webmaster access
- On the "Members" line, in the right-hand column, click the link called "Login/Logout Events"
- In the box called "Create Table", click the "Create" button
That's it - login events are now being recorded.
Return to this same page any time you want to view the login/logout events. You can click on the event name in the list to view all details of the event.
Note that the list of events can be imported to a CSV file for analysis.
Also, the login/logout history of any one member can be viewed by visiting their profile page, then clicking the "Website Logins" tab on that page. You'll see a new section on that tab called "Activity History".
Note that SOME browsers (notably Google Chrome) can be configured to not ever start a new browser "session" when returning to a website, even if the browser has been closed or the computer shut down since the last visit to the website. This means that if you're using such a browser, you may remain logged into your HarmonySite for days/weeks/months, and never see a "Login automatically success" event in your history. In other words, for members using these browsers, it's not possible to keep a full record of every time they visit your HarmonySite.
2. The system can force a logout after a certain period of inactivity
This is only recommended if you feel you want the highest possible level of security for your HarmonySite...
This option is designed to automatically log members out of the website if they have not done anything for a while (e.g. 30 minutes). This includes leaving a HarmonySite page open but doing nothing on it. If they system detects no mouse movement or keystrokes, it will automatically log the member out, presenting them with a link to log in again and return to the page they were on. Ditto if their browser keeps them logged even when the browser is closed (as mentioned above): When they reopen their browser after some time has passed (an hour or a week), the system will log them out as the first thing it does.
If you want this option enabled, then please let us know - configuring it is something that only we can do. You will need to tell us what period of inactivity should trigger a logout. A period of about 30 minutes may be suitable.
Note that enabling this option is bound to annoy your members, but will mean that nefarious persons can't simply walk up to an unattended computer (where the last member didn't manually log out), reopen your HarmonySite and continue as if they were the actual member.
3. The system can force a password change after a certain number of days
We all know that it's important to regularly change your passwords. Well, now your HarmonySite can force this practise. After a certain number of days since the last password change (this period is specified by you), the system will not let the logged-in member do anything on the site until they have changed their password.
If you would like this option enabled on your HarmonySite, please let us know. Be sure to tell us how many days should elapse before a password-change is required. 60 days may be suitable.
4. When a member changes their password, the new password can't be the same as their existing password
This option is now always on.
Only the most recent password is checked - previous passwords before that CAN be reused.
In harmony,
Mark Virtue
HarmonySite
Australia
+61 2 8005 4277 (Australian number)
In North America, call: 1-415-651-7009 (San Francisco number)
Skype name: mvirtue
