ESS/MSS ID and Password

Sort:
You are not authorized to post a reply.
Author
Messages
Steve Datish
New Member
Posts: 5
New Member

    We are in the process of rolling out ESS to 4,000+ users on LSF9 and are trying to limit the maintenance on ESS passwords.  I have a few questions:

    1. What logic do you use to assign the initial ESS password (ex. birth year+last 4 of SSN)?
    2. Do you allow ESS users to change their password?
    3. Do you force users to change their password after initial log on?
    4. Do Lawson users have two separate ID's, one for ESS/MSS and a separate ID if they are a Lawson application user?

    Thanks

    jeremy.zerr
    Advanced Member
    Posts: 23
    Advanced Member
      We are on 8.0.3, so we don't have the ability to force users to change the password after they log on, but that is one thing we are looking forward to getting LSF9 set up for.

      The initial password we use includes the last 5 of the SSN, only because it seems like the last 4 of the SSN can float out there if people leave paystubs or anything around, so we just added an extra character.

      We do allow people to change their password.  We feel that is the only secure thing to do.  Think of this situation.  2 employees are married.  The wife helps her husband with benefits enrollment, and of course knows the birth year and SSN.  Then, they get divorced.  If you don't allow password changes, both ex-spouses have full access to each others ESS to cause a bunch of havoc.  That example made it obvious to me why allowing password changes is necessary.

      We do have everyone with a separate user id for ESS/MSS and for the application.  You need to allow the separation because a regular application user should not get any special treatment when acting like a regular employee.  Its just more fair that way.  And you don't want a bunch of exceptions to maintain.

      One thing we also added into 8.0.3 (don't know if it is already in 9), but we only allow a few incorrect password attempts before the system will prevent any more attempts.  This is to avoid password brute force automated attacks.

      Jeremy Zerr
      http://www.zerrtech.com
      You are not authorized to post a reply.