Important Security Policy Updates for CRM Users - Effective February 8th

Cristinel Anastasoaie - Friday, January 20, 2012

Effective February 8th 2012 we will further update the way we handle CRM user passwords, for security reasons. The new release will impact lost password workflows, add or update System Messages / System Emails and alter the way customers retrieve their passwords.

This is the second step in a larger update process. The first phase was released during December and was detailed previously as part of the Important Security Policy Updates - Effective December 14th blog post.

Summary of the changes:

  • Case sensitive passwords - beginning with the February release, passwords for new CRM users will be case sensitive. Existing customers will be gradually migrated to case sensitive passwords as they login into the system.
  • System Messages (Pages) - added Password Retrieve Request (new) page which contains a form when the user can input his username or password in order to receive the password reset email; similar content to existing Lost Password form
  • System Messages (Pages) - updated Password Retrieve Confirmation page
  • System Messages (Pages) - added Password Reset (new) – opened via the link in the password reset email; contains a form in which the user inputs his new password
  • System Messages (Pages) - added Password Reset Success (new) – displayed to the user after he has successfully reset his password
  • System Messages (Pages) - updated Unauthorized Access page so that it contains a Lost Password link by default
  • System Emails - Updated Lost Password and Secure Zone Details emails to replace {tag_password} with {tag_passwordresetlink}; {tag_password} has also been updated to send a password reset link instead of a clear password;
  • Email Marketing > Create campaign - {tag_recipientpassword} will be deprecated and replaced with {tag_recipientPasswordResetLink} which will send a link to an update password form instead of clear passwords; when running already built campaigns, the {tag_recipientpassword} tag will return a link to a reset password page.
  • APIs - ContactList_Retrieve, Contact_RetrieveByEmailAddress, Contact_RetrieveByEntityID, Contact_RetrieveByExternalID, Contact_RetrieveByUsernamePassword, Contact_Retrieve, Contact_Retrieve (message name Contact_Retrieve2), Contact_Retrieve (message name Contact_Retrieve3) - Password field will return an empty value.
  • APIs - we have added a new API named Contact_RetrieveZonesByEntityID which retrieves the secure zones to which a given contact is subscribed

Note: For existing sites, the content of the modified system messages/emails is not changed automatically. In order to use the new templates Admin users should perform a "Reset to original" operation on the affected messages/emails.

February Security Update FAQ

Q: Can a Partner or Site Admin still update a CRM user password via the Admin UI?
A: Yes, Site Admins and Partners can still enter a new CRM user password through the Edit Customer UI. The new value will be saved and used by site customers to login to secure zones.

Q: How can a Partner or Site Admin help CRM users recover their passwords?
A: Since the CRM user password is no longer readable by Site Admins or Partners in Report or in Manager Customer UIs, we encourage Partners to use the following methods to help customers retrieve their passwords:

  • Use "Email Login Details" from Customer Details > Manage Customer Subscriptions screen; this will send CRM customers and email that includes a link to a forgot password form which they can used to reset password.
  • Update login pages to include a link a "Forgot Password" form that customers can use to reset secure zone passwords; Following the release, it is recommended to use the new Forgot Password page. Read the Allowing Customers to view and update CRM details article on the Business Catalyst Knowledge base for more information on how to help secure zone customers retrieve their passwords.

Q: What happened to the "Lost Password" form?
A: The "Lost Password" form has been deprecated and replaced with an automatically rendered form. Existing Lost Passwords form will continue to work and will send customers an email with an email and a link to change the password. The new Retrieve Password form is linked from all login screens and can be customized from System Messages section.

Q: What happens when the password field is left blank in the import file?
A: We have updated the import functionality so that it does not overwrite the existing password with a blank password. Leaving the password field blank in the import file will keep the existing password. The following uses cases are applicable when updating or inserting customers through import & API:

  • If contact exists in CRM and password field is left blank in the import file, the system keeps the value existing in the database
  • If contact exists in CRM and password field includes a value in the import file, the system updates the password with the value provided in the import file
  • If contact does not exists in CRM and password field is left blank in the import file, the system creates a new contact and doesn't generate a password for it
  • If contact does not exists in CRM and password field includes a value in the import file, the system creates a new contact generates a password based on the value provided in the import file.

Q: Following the February release, can Partners or Site Admins still automate the Secure Zone login by appending username and password to an URL?
A: No. Starting with our February release, site customers will have to enter username and password when accessing a secure zone. To avoid entering login credentials the next time they access the site, site customers can check the "Remember me" checkbox.

Q: Following the February release, can partners send passwords by email to all contacts created using import or APIs?
A: No. Starting with our February release, Partners will be able to include in the email a link to an Update Password form which can be used by CRM customers to setup a new password.

Q: Where can I find documentation about the new CRM APIs so that I can update my customer sites ahead of the February release?
A: You can find a description of the new API on our knowledge base. For more details, read the "Retrieve Secure Zones API Reference" article.

Please make sure that your customers and team members are aware of these important updates.

Thank you for all of your help and support,