Oncord Security Update

We have recently improved our already-robust security so you can have the peace of mind of knowing you're safe.

Oncord Security Update: Building a Secure Environment

We have recently improved our already-robust security so you can have the peace of mind of knowing you're safe.

Two Factor Authentication

We’ve added in a new 2 stage verification process which will be similar to what you would have experienced with your bank. If you are logging in from an unusual location (determined by your ip address) or after 6 failed login attempts, you will be alerted with a text message verification code to confirm that the changes that are about to be made are being made only by you. The verification codes last 15 minutes and once expired, will be re-issued automatically next time you log in.

Mandatory Password Strength 

We’ve also added in a ruleset for creating passwords to make them more secure. From now on, passwords:

• Must be minimum 8 characters long
• Must contain both alphabetical and numerical characters
• Not be the same as your last 4 passwords

How am I Affected?

As a result of adding these extra security features, all administrator accounts will need to refresh their passwords as well as attach a mobile phone number to each account.

• Administrator accounts must have unique usernames and email accounts attached to them so it is easier for you to track who has made changes to your website.We strongly encourage users have individual accounts and advise against using 'shared accounts' as it can increase the risk of the sensitive information being exposed to malicious behavior
      
• Password encryption has been upgraded to a new encryption method which makes your passwords much more resistant to password cracking, even if password cracking software is used. We’ve also added a new feature which automatically enables the SSL protected ‘HTTPS’ on any page that has a ‘Password’ field on it.
   
• When logged in, a logout button is now visible when viewing a public and editable page
   
• Inactive accounts will be disabled automatically after 90 days for sites that contain e-commerce features and 180 days for sites that don’t.
   
• Admins will be required to change their passwords every 365 days.
   
• HTTPS on all pages when you are logged in with a privileged account to prevent potential session hijackings via network snooping.  Whilst logged in, you will be accessing the site via your sslsvc.com domain.

Other Changes

We have also implemented CSRF tokens to prevent CSRF attacks and have upgraded our cryptography software to always generate output that is suitable for cryptographic use.

This extensive list of security updates are being made to keep your website’s sensitive information private, as it should be. We believe that your information should only stay in your hands and will do everything we can to give you the peace of mind that your website is safe.

If you have any feedback about the latest patch, please don’t hesitate to reach out. We know it might be a slight inconvenience for some of you, but it is all in the best interest for your security.