passwords

Secure Login is Now a Requirement

15 April 2016--Today is the deadline for users who have not enabled Secure Login in their accounts, and use passwords in connections to RMS and CMS systems. Today, the CMS detects if a connecting user has a password and also does not have secure login enabled. If so, secure login is enabled and a message is posted to the user with details of that action.

Also, since secure login is not an option and is set automatically, it has been removed from user's account settings.

The CMS also will detect if a connecting user has not set a password. If so, it creates a random password for the account, enables secure login, and posts a message to the user with details of that action.

In both cases, the CMS will continue to allow insecure access until the notification message that was sent has been retrieved from the user's radio mail account. After which, the secure login setting is enforced.

If you find yourself unable to connect, please contact the system manager, Steve Waterman, K4CJX, for instructions if you have difficulty with instructions already published. For your reference, a previous message is reprinted below.

--The Winlink Development Team

18 Dec 2015--Last October we announced system-wide changes to enhance privacy and anti-piracy for the Winlink community. Today, we are announcing a deadline date on which the use of account passwords and secure login will become required and not optional: April 15th, 2016

If you’ve already set a password, turned on secure login in your account, and entered the password in your client software, you don’t have to make any other changes. The transition taking place on April 15, 2016 won’t change your operation. If you haven’t set a password for your account and enabled secure login, we recommend you do it now so you won’t be surprised on April 15, 2016. Here's how:

If you use RMS Express:

  1. Connect your computer to the Internet.
  2. Run RMS Express.
  3. Click “Files” then “RMS Express Setup”
  4. Double check that you have the latest version. Check the box in the lower right, "Automatically install field-test (beta) versions..." and allow the program to update and restart. Go back to "RMS Express Setup" as above if you updated the program.
  5. Enter your password in the field next to your callsign, and check the “Require password on connections (Enable Secure Login)” checkbox (it may already be checked by default).
  6. Enter a password recovery e-mail in the appropriate field. This must be a non-Winlink address.
  7. Click "Update".
  8. RMS Express will set your password on the Winlink system and enable the secure login option.

If you’re using a different Winlink e-mail client program, you must follow these steps:

  1. Go to www.winlink.org, and select the My Account tab.
  2. If you haven’t previously selected a password, select one now. Otherwise log in.
  3. Navigate to the screen that lists your account information, and click “Edit”.
  4. Scroll down and enter your password-recovery e-mail.
  5. Check the box to enable Secure Login.
  6. Click “Save” at the bottom of the screen.
  7. Last, find the place in your client program where you can enter your password, and set it.

Note: there may be Winlink client programs that cannot use passwords and secure login. If your client is one of them, contact the author and urge them to update their program!

--The Winlink Development Team

Passwords with Keyboard Mode and APRSLink

Both keyboard mode and the APRS gateway now allow access with your Winlink password to the CMS using a simple challenge/response protocol. Your password is never sent in the clear over the air.

LOGIN
If secure login is enabled for your account (or, in the future, required). Send any command to initiate login. The CMS will respond with a challenge consisting of three digits who's values represent positions of characters within your password..

[RESPONSE]
This is a six character response to the login challenge. Respond with three password characters corresponding to the positions in the challenge plus three additional characters of your choosing (in any order). Example: Password is ABC123. Login challenge is: 425. You send '1B2AZ5'. ABZ21TY would also be valid since it contains the characters 1, B, and 2.

No password is needed if the secure login account setting is off (check 'My account>Edit' at the Winlink web site). This option will go away once secure login (password validation) becomes mandatory next year.

Keyboard access will continue to accept the PW syntax announced earlier, but that will be disabled in a few weeks. Use the above method instead.

-Lee, K0QED
Winlink Development Team

Q&A on Winlink Passwords

Sunday, October 25, 2015
Recently Andy, VE1COR wrote:

"I recently received a msg. via RMS Express that passwords will be required to use the program within about 6 months to send/receive general messages by means of the Winlink2000 system. I think this is called 'Secure Log in'. It is my understanding that Winlink2000 is the backbone for general Winmor / RMS Express messaging. There was a brief discussion on this group in the summer regarding RMS Express passwords. I am still not 100% clear on implementing a password in the RMS Express program running on my computer, and I have a few questions."

We thought publishing the answers might help minimize confusion on the upcoming changes to the CMS login process that we announced recently. So, here are answers to Andy's well-put questions:

Hi Andy,

Some answers:

1. To enter a password in the RMS Express program do I: 1) on the main screen follow the path 'Files/RMS Express Setup' to the 'RMS Express Properties' screen, 2) then enter a password in the 'My Password' field? Is there anything else I need to do with the RMS Express program?

A: Make sure you're using the latest version of RMS Express! Beta test version 1.3.6.6 adds a fix for a bug in secure login. It also has a button that makes it easy to request your password to be sent to you, plus a way to enter a password recovery address without having to go to the web site to do it. When you enter your password in the 'properties' form of RMSE it also sets your option for 'secure login' to CMS servers (direct via telnet or through an RMS). The option to elect secure login and the setting on the web site will go away in six months or so (date to be announced). After that date, secure login is mandatory.

2. For some time I have had a password to access Winlink2000 on-line for webmail and account management (e.g. password recovery e-mail address, white and black lists). Is the password I enter into my RMS Express program the same as I already use with my Winlink2000 account?

A: Same password. There is only one password per callsign account in the Winlink system. Just to prevent confusion: The common key CMSTELNET for access to Telnet connections that must be manually set in Airmail or other clients is NOT a Winlink password (though some clients call it that), but rather a common key for all client connections.

3. Is there any restriction on the type of characters I use for the RMS Express password? (One of the participants in the summer discussion said lower case would cause a problem; my current Winlink2000 password might - or might not - include lower case character(s)).

A: Winlink passwords all use upper case alpha character, numerics and the symbol/punctuation set seen on 'qwerty' keyboards. If an input method permits lower case, it's always converted to uppercase before it's used in the system. If it doesn't--the WDT did not write the software and the author is in error.

4. Every time I change my Winlink2000 password do I also need to change the password in the RMS Express program?

A: Yes, of course. Otherwise, you're trying to log into an account with an incorrect password!

5. How long will it take for my new, or changed, password to be functional in RMS Express (and with on-line Winlink2000 assuming both passwords are linked)?

A: After making a change, you should allow 5-10 minutes to be sure, perhaps less before trying to use it in a client. The password is first changed on one CMS database, then it must propagate to four others around the world. This takes 2-3 minutes in most cases, occasionally longer due to net conditions. If you are using an older client (Airmail, Outpost) that focuses on one or uses a slow rotation of CMS selection, you may experience a problem, but allowing time should fix it. RMS Express is smart about CMS selection and transparent to the user as well, so no problem with it.

6. May I setup a (Winlink2000 based) password NOW in my RMS Express program, before a password is mandatory?

A: YES. Highly recommended. You'll be using secure login right away, which is a good thing. Nothing to worry about setting later, too.

7. if the answer to 6 is 'yes', is there any advantage to setting up a password in RMS Express now?

A: Spoofing your call or access to your account using secure login is very hard. Nothing else to do or remember later, either. The only negative is that you must manage the password and must not forget it. Be sure to set a password recovery address that is NOT your Winlink account, so you can request the password to be sent where you can recover it if you should be human and loose it.

73,
Lor W3QA
Winlink Development Team

Pages

Subscribe to RSS - passwords
Winlink Linkomatic