At MCP, we are continually reviewing our security systems and practices to ensure our products remain as safe and secure as possible for our customers. In today's technical landscape, cyber security is paramount. We are therefore continually scrutinizing the security of Destin8 user IDs and passwords, whilst simultaneously identifying changes that can be implemented to additionally enhance this security. To this end, we will soon be making changes to the password recovery procedure for Destin8 users.
The functionality to enable a user to update their password has long existed in Destin8. However, in cases of forgotten or unknown passwords, the current method of obtaining a password reset through our Helpdesk presents some potential security vulnerabilities. To increase the security of Destin8 passwords, we have concluded that this long-standing practice must change.
What is changing?
We have been building upon the existing Destin8 security functionality and will soon be implementing a new feature which will enable users to reset their unknown or forgotten passwords directly from the Destin8 login page. A ‘Forgot Password’ option will be displayed which, when used, will trigger the sending of a temporary reset link to the pre-registered recovery email address for the user ID, enabling the user to update their password.
What do I need to do?
Our Helpdesk will shortly be in contact with you to obtain the appropriate password recovery email address for each of your company’s Destin8 user IDs. There can be only one email address assigned per user ID.
We know that the internal management of Destin8 users and passwords varies among our customers and that, in some cases, Destin8 user IDs and passwords are frequently shared among colleagues within an organisation. We appreciate this can make the issue of password management and security particularly challenging. Some important factors to consider when assigning recovery email addresses are:
Accessibility
Ensure the mailbox of the selected email address is accessible to those responsible for Destin8 password management within your organisation. You should endeavour to protect against any single points of failure that could potentially prevent a user from accessing Destin8 when needed, simply because they are unable to obtain the password reset link.
Password Sharing
Shared account access introduces a number of risks, and the sharing of passwords is strongly discouraged. However, we know that for some of our customers, the sharing of Destin8 user IDs and passwords is unavoidable. In these cases, especially, you should:
- Continually monitor and review password access to manage the additional security risks.
- Only share the password with the smallest possible group of known and trusted users, preferably using a password management tool. Writing down passwords or sharing via email is not recommended.
- Ensure the password is not exposed to users who do not have permission to access it.
- If someone is no longer allowed access, change the password, e.g. when a staff member leaves a team or the organisation.
When will this change?
MCP, as a company, is classed as Critical to National Infrastructure (CNI) and, as such, we will implement the new functionality as soon as reasonably practicable. Your cooperation is critical in ensuring that the implementation of cyber security enhancements to our products has minimal impact on your organisation. When you are contacted by our Helpdesk, please promptly respond with your recovery email addresses to enable us to expedite the new feature smoothly and without delay.
MCP plc - 23 October 2024
Posted on Wednesday 23rd October 2024