Secure Passwords

Your passwords should be unique and memorable. If you do not read any more of this article, just remember to make your passwords from three random words.

Passwords should be…

  • long at least 10 characters
  • unique – do not use the same password for more than one purpose
  • memorable – if possible so you do not have it on a yellow sticky!
  • complex – add some numbers upper and lower case characters and some non-alphanumerics such as $, -,!,@ (special characters)
  • regularly changed
  • securely stored if stored at all. Possibly an encrypted file or a specialist recognised password vault
  • changed occasionally (changed too often can create its own security weaknesses). It is accepted that a more complex long password changed less frequently (say annually) is better than a simpler, shorter password changed frequently (e.g. every quarter).

Some of the above may conflict. The better (long, uncrackable, frequently changed, etc.) your password is, the more difficult it is to recall. Therefore, you need to record it and, unless this is done securely, that in itself becomes a security weakness. The familiar yellow sticky on the screen is dangerous but writing them all down on a piece of paper is asking for trouble.

Only secure systems should be trusted with your personal information:

  • encrypted password storage so not even the programmer of the system can read it.
  • SSL encrypted browser to server communications (padlock HTTPS:// in the URL) so that it is not compromised between your PC and the server
  • A ban on further attempts at password attempts after a small number of tries – five to ten attempts maximum.

Your information is probably already compromised

You must assume your password has already been found out and is available to many hackers. How?  Check this site to see where your details.

https://haveIbeenpwned.com

Put your email into the box and see the results showing how many sites, where you used that site, and what personal information has already been stolen and has been on sale for many months or years. Everyone should know this but we reckon nineteen out of twenty AXLR8 clients we show this to are completely unaware of how exposed they are.

Brute Force Dictionary Attack

Someone can easily guess my password?

There are hacking tools that attempt thousands of username and password combinations. Many of our servers that are open to the internet have 45,000 attempts per day which are blocked.

The way password guessing works is by using information already available to the hacker’s computer. Your name is an example so do not use your name with “123” after it. Further, your first & last name, school and many more pieces of personal information must be assumed to be known by hackers. If you have a word that is typically used in your password such as a pet name, animal, flower, place, or whatever, a “Dictionary” attack will probably find it by using a list of common words and configurations of those words. For example, Dictionary attacks are really good at words and phrases. They also check adding your date of birth and other information they have derived or purchased. Thus, if your password is made from the word Banana and your date of birth (in this example 10th November), you might make a password like “B4n4n4-1011” On the face of it, this is more than 8 characters and obeys many of the accepted rules from a few years ago.

Good dictionary attacks already have your date of birth, first pet’s name, primary school name, and many other answers to “hint” and “ID check” questions you might have entered in other sites as mentioned above.  Most know dates of birth and names of children, which are very common combinations for passwords. All know combinations of common passwords like “Secur1ty”, “pass1234”, “Password!” and “letmein” is well known. Similarly, although it is not the subject of this article, please do not keep your default firewall or blue tooth PIN as “1234” or “0000”. Also, obviously, do not make it the same as your bank PIN!

Yikes! What shall we do then?

Password reset

You should change your password now.

Dictionary attacks are very, very good at finding a word or phrase and number combination. However, they are unable to begin to guess at something you passed on the way to work, a randomly selected object in your house and a film you like or three things you saw on holiday or in a film plus your favourite actor.

Just choose three random words to make a memorable password and chuck  in some number(s)/non-alpha(s) characters.

e.g. apple sock ship might end up apple1812-$hipSocks.

Maximum password attempts is a good way to protect against such attacks.

In conclusion make sure your passwords obey the rules at the top of this page and, if you do nothing else, use three random words that only you would recall because only you saw a jaguar, a robin and a bike tyre puncture on your way to the shop this morning.

Repercussions

If it is your personal password for, say a private bank, game or subscription, you may lose money or pride. Worse is possible if someone steals your identity and commits criminal offences in your name. It is not enough to know you are not guilty. There are several cases where an innocent victim of such ID theft has been attacked by another victim of the crime. Lastly, if you are at work and responsible for other people’s data on a system and neglect your duty to create a secure password and keep it secret, you could damage many other people. This could happen if you are working on any accounts, CRM, HR system and many others.

Also, if you are an AXLR8 client running a business you have built up for years, you will need to make sure that you and your staff abide by these simple rules in a complex world.

If this raises any queries, please call AXLR8 support on 01344 776500 and we can help your Super Users with your system security and staff security training.

AXLR8 Public Sector Code Library

For around five years we have asked government clients to share their code and some notes and tips every time they use AXLR8 APIs. There was a slow start but people are quite enthusiastic now.

AXLR8 are collating code samples so that public sector organisations do not have to reinvent the wheel every time a new organisation writes an interface to (e.g.) the PDL API. This should help codify a scheme that has been running for a while informally.

  • Would it be helpful to see examples of other people’s code as we collect permissions from similar public sector businesses using AXLR8 APIs?
  • Once finished, could we have a copy of your code for the AXLR8 Public Sector Code Library?
  1. Who will have access?
    Just the direct programmer at the public sector organisation concerned. Reciprocation of their finished code into the PSCL will be assumed/ agreed. Programmers working for subcontractors will be asked to place their code in public ownership as a condition of participation and their employer will be copied in. Most will agree it of little cost and great benefit to all. The relevant code will be kept in our support KB and has been provided by email up to now. In future, we expect to load it on a data asset register with public sector restricted access.
  2. Will it be a security breach?
    Even if you give us the raw code, we will remove the credentials and replace them with “———”, or similar.
    Even your organisation need not be identified if you wish to replace your organisation’s specific URLs with e.g. “Devshire.gov.uk”
  3. Who owns the IPR?
    I see it as Crown Copyright in 100% of cases. We have had the odd situation where a subcontractor has been less than forthcoming with the code interfacing between a public sector website and our systems and this has been one of the main motivators for this PSCL project. We have no real way to enforce this if the purchasing business do not make it a condition of the offer of work or agree perhaps a smaller fee and release the subcontractor from the obligation. However, I believe the results they achieve for such a “saving” will be more costly in the end and less maintainable.
  4. What else do we need?
    It would be helpful to others to say what CMS your system works with and provide any other notes. Perhaps some notes on what you might have done if you had more time?
  5. What if my code was not as clean as I would have liked due to the time I was given?
    Your code is brilliant. Do not worry, it will help someone and all devs know they have done the same somewhere.

Any questions or comments, please contact AXLR8 Support on 01344 776500.

AXLR8  just achieved compliance for Cyber Essentials

AXLR8 just achieved compliance for Cyber Essentials

AXLR8 just completed our certification for Cyber Essentials! I can highly recommend the detailed, professional prompt and practical approach of RightCue who led us through the process. Thanks! #cybersecurity #datasecurity # #gdpr #CyberEssentials We are excited to announce the launch of our new project! #completedproject #compliance #IASMEconsortium

New AXLR8 Commercial Finance interfaces

AXLR8 are migrating users to new interfaces to reduce training and make the system quicker and easier to use. Simple lists of proposals and clients have clicks through to more details if desired. Adding new propsals uses a step-by-step wizard approach that even the world’s greatest technophobe will embrace!

Easy to use AXLR8 Portals
Easy to use AXLR8 Portals

These announcements (and see here) are part of the product roadmap which started nearly 20 years ago and will continue with many interfaces to external lenders and other information sources.

Please call to discuss your team’s requirements.

01344 776500

Clear new AXLR8 Portal interfaces

Clear new AXLR8 Portal interfaces

AXLR8 has been spending the last three years updating and improving the AXLR8 User Experience (UX). Many parts of the system are now being systematically added and seamlessly replacing exisiting client systems.

Staffing Agencies

Field staffing apps have been evolving for a while and are now customised to your company and also have all the functionality you would expect from AXLR8’s comprehensive staffing agency systems.

Applicants for different job postings
AXLR8 Application Tracking System: effective recruitment metrics

The staffing systems internal HQ Admin wokflows are being improved, functon by function, starting with the recruitment team using AXLR8 applicant tracking systems.

Dashboards

AXLR8 Dashboards are built internally at clients with knowledgeable accredited AXLR8 Super Users now. They can be built and placed any where in the system but the most popular place is the opening page with a management overview.

AXLR8 Dashboards
AXLR8 Dashboards give a real time overview of business health

Finance

AXLR8 are growing in the commercial finance and loan management systems markets as a direct result of improving user interfaces.

AXLR8 LoanMatrix
AXLR8 Loan Management Systems

Government

AXLR8 is updating the Information Request Management and Information Asset Register systems in use across central and local government and NHS.

AXLR8 IAR
Information Asset Register keeps data sources inventory maintained

Apps

AXLR8 have been delivering Apps on all major operating environments for seeral years for our clients to replace and complement our web apps and web portals.

App Screens
Simple to use fault reporting and service logging app

The above maintenance app is a simple “see snap send” reporting mechanism as well as containing all the information requied for service, installation and other equipment management tasks for an engineer.

The comprehensive AXLR8 Staffing App is simpl for the staff member to use for shift information, work planning availability calendar, pay, expenses, field reporting and surveys (on and off line) updating personal details, Chat mechanism, proof of attendance and so much more. It is used by tens of thousands of staff every day.

Staff App Screens
Staffing App with client customised content and functionality

Please email sales@axlr8.com or call us about your business systems requirement 01344 776500

AXLR8 Login Tips

Security is only going to get stronger in the world of business applications.

Therefore, some of your legitimate users will face occasional barriers to accessing your business applications including the one you have purchased from AXLR8.

Quick fixes

Assuming they are legitimate users, the quick solutions you can try are as follows.

Common user issueWhat to do about it
Forgot password (includes typing the wrong case e.g. “ABCD1234” instead of “AbCd1234”)They should go through the password reset process. It sends them a temporary login and instructions on how to create a new secure password.
A Super User can also kick off this password reset process.
Too many false login attemptsThe users account will be disabled. A Super User needs to go to their User Admin area, select that user and take their account from the “disabled” to the “active” list. Don’t forget to check they are still legitimate users!
Not received password reset emailThe email with the reset password instructions has probably gone into their spam folder.*
The user must check their spam folder, retrieve the mail and follow the instructions.
User forgot login name (includes typing it wrong such as “JOHN SMITH” when it is actually “JOHNSMITH” without a space)They can use the user name reminder process.
You can send them the correct user name and explain the importance of typing it exactly.

*If all go to spam, then your DKIM and SPF records a may not be set up correctly and you may need to ask assistance of whoever manages your DNS.  AXLR8 can re-supply the correct values for these.

The above should solve it (and probably similar problems from any system you may use, from any supplier). If not, one of your company’s AXLR8 Super Users should follow the steps in the link below with your user (client, field staff, etc.) in order to resolve the matter.

Detailed help notes

For more detailed instructions about how to troubleshoot problems when users cannot log in, please click here.

AXLR8 Dashboard functions

AXLR8 Dashboard functions

We recently launched a new set of functions for building dashboards.

The functionality is being provided to beta clients and some new clients now.  It will soon become widespread.

AXLR8 Dashboards will address two key UI issues we have been working through in the last four years.

Cx Dashboard

The CEO and Cx suite (board, VPs, etc.)  will want different dashbards to the functional dashboards we have as standard in the project. A staff booker will log in to an overview of campaigns and a sales person may log in to their active deals. Howver, a CEO or COO may need a couple of graphs and two buttons to take them to some areas of P&L detail or other KPIs for the business such as client feedback scores.  Previously, we have built these as custom developments and they have been expensive and mostly only applicable to one specific customer.  Now AXLR8 can quickly model and deploy different dashboards for different directors/executive officers.

Functional Dashboards

These are the dashboards that would be used by specific staff and managers to achieve their job objectives on a daily basis.  For example a warehouse manager may need to know tools availability and testing schedules for the purposes of kitting out vans during each week with safe, servicable tools.  A talent manager may wish to see how many applicants came in over night and how the talent pool stands including whose SIA licence paperwork or work visas are coming up for renewal.

We will follow up with an article with some Use Cases in different industries.

AXLR8 Dashboards

AXLR8 has been working on a broad UI improvement strategy over the last four years.  AXLR8 Dashboards are one of the main planks of that strategy.   Apart from developer team alignment, creative new look and feel approaches and UI standards, the main UI development areas include:

  • Operational Apps which interact with the AXLR8 enterprise data in your company  – built for
    • Android tablets and smartphones
    • iPhones and iPads running Apple iOS
  • Specialist portals for field staff
  • Simplified vertical market portals for specific job roles including finance brokers, request managers and asset/warehouse, transport and maintenance staff
  • AXLR8 Report Builder UI evolution
  • AXLR8 e-Learning
  • APIs to other systems extending access for users (e.g. integrated credit check searches for sales people or integrated proposal entry for finance brokers)
  • AXLR8 Dashboards

AXLR8 Dashboards are customisable by AXLR8 Support Consultants.  In Q4 2019 we plan to add the skills into the AXLR8 Super User training course deliverables.  Many AXLR8 SuperUsers will be able to customise these AXLR8 Dashboards for their board directors to see their KPIs and metrics as well as for operational and field staff in specific professional areas such as broking, job tracking, government information request management, talent management (including  Applicant tracking, vetting and and staff bookings), sales, maintenance, and many more.

What is an AXLR8 Dashboard?

AXLR8 Dashboards are overview screens making access to your information quicker and easier.  The AXLR8 Dashboards Manager allows the Super User or Consultant to:

  • customise a view (e.g. an opening view after login) of the system with only the buttons, graphs, etc. that a user or group of users needs
  • cascade more reports and dashboards when that user clicks through to them

This is best illustrated with examples of how dashboards are used.

Who needs AXLR8 Dashboards?

Use case: CEO dash

CEOs often identify 5-10 key metrics they need to run the business and identify trends.  Most great CEOs also want to dig into the detail.  So an opening screen with these key metrics and buttons leading to reports and data on the main functional areas of their business: sales forecast, sales league table, customer satisfaction survey feedback, delayed projects, bookings, etc. can easily be made for the Cx who would normally not engage with systems.

Use case: Warehouse Operations dash

In this specific area, the people in the warehouse are agents for any business critical processes and for change and evolution.  To make a system easy for them to use, it must be built with their vocabulary and each function must be accessible from a simple menu or set of buttons:  Book goods in, what equipment needs a PAT  or PUWER test, what items are in repair, how many of those drills are available, which vehicles need an MOT (TuV, etc.), how many perishable items are three months from disposal.

Use case: Talent Manager dash

In one company this could mean a dashboard of applicant tracking data, in another it might be extended to vetting, staff surveys, staff work metrics and discipline.  Yet another manager may be using AXLR8 e-Learning to develop staff and needs to make sure goals on staff numbers with certain qualifications are achieved.  Talent managers will have differing goals from company to company and AXLR8 Talent Managment and ATS, Vetting and other functions need to be customised for each company’s needs.

Use case: Customer Support dash

The Support Manager, or Operations Manager will be measured by the Cx level managers on many critical metrics.  This dashboard can be customised so that buttons and graphs on the opening page may show graphs of or allow access to such items as:

  • Map of where my maintenance staff are today
  • Current customer satisfaction feedback scores from AXLR8 Surveys and similar AXLR8 functions
  • Any tickets or requests that have taken longer than target response or resolution times

 

AXLR8 commercial client GDPR

AXLR8 have produced the following AXLR8 GDPR document for clients in the commercial sector – especially those who use direct mail with our Newsletter Builder and other tools in B2C markets.

It also refers to a new AXLR8 Data Cleaning document.

Staffing Clients

Those in staffing will find it useful as there are some pointers about adding the Opt Ins to your staff contracts.  It seems reasonable to ask staff to read email in order to see what what work is coming up, confirming/ changing shifts and so on.  More is available on our specialist staffing website at http://staffing.axlr8.com.

For example, we will be covering data retention periods and especially applicant data and data about terminated staff (with and without payment history.

Government  Clients

AXLR8 are creating special new SAR 30/60/90 Information Request Types.  More details are on the way to government users of our FOI systems.

GDPR references

This link is the official UK Information Commissioner’s Office website and the pages of content are

  • the authoritative source and
  • clearly explained.

The fines associated with General Data Protection Regulations which come in on 25th May 2018 are huge.  None of us can afford 4% of turnover.  The reputation damage to your business would be much higher.

Just like you, AXLR8 have beeen burning hard earned reserve cash preparing for GDPR on top of our Penetration Testing, Vulnerability Scanning and the resulting remediation action plans.

Many people are claiming to help you with GDPR if you pay them money.  If, like of most of our clients, have more sense than money and some basic legal IT understanding, you should visit this ICO link.  It is the official UK Information Commissioner’s Office website and the pages of content are authoritative and clearly explained.  All you need to know is that you are the “Data Controller” and AXLR8 is your “Data Processor”.  Obviously, if you have in house systems as well, you are both DC and DP for those systems.

If you have any queries about the matter, please do not hestitate to call and book a (free) call with one of our consultants.  “A stitch in time…..”