15 Oct 2015--The Winlink Development Team is making changes to modernize the system and prevent abuse. We have begun to roll out changes to the Common Message Servers (CMS) that will alter the connection behavior of both client software and RMS servers. Previously, users could opt into using a secure login process. In the near future, it will be required of all accounts. Users and Sysops alike should note what to expect. We are working with 3rd-party software authors to help them implement their needed changes, and allowing for a generous grace period to allow updates and a smooth transition. Here's a summary:
1. All Winlink accounts will be required to log in to a CMS securely with a password. Currently, 'secure login' is optional for users, and many accounts do not have passwords. Before they are required later in the transition, the CMS has begun sending to users having non-secure accounts a new system-generated password. If you are not already using 'secure user login' in your client, WebMail on the web site, have not requested a Winlink password from the web site, or run an RMS gateway or RMS Relay station, your account probably does not have a password. You should look in your Winlink mail for a service message from the CMS containing a new unique password associated with your callsign account.
Note: Additional accounts using SSID variations of a callsign will always use the same password--the one associated with the base callsign, without "-0000" (SSID) appended.
Users can change their password, and request recovery of lost passwords using the Winlink web site. Be sure to add a password recovery address to your account settings!
2. Unless created by using RMS Express, all new accounts created by using a client making a first-time connection with a CMS will automatically receive their passwords in a service message. After a grace period, the CMS will require all connections to perform secure login. Prior to that, the password must be configured in a client program to allow successful secure connections.
3. Sysops need do nothing regarding passwords for the accounts running RMS gateways--they already use passwords for secure access to the CMS servers. They should be familiar with the changes in order to assist their users, however.
4. Tactical address accounts can not be used to log into a CMS, but may have associated passwords for security. Passwords are not required for tactical addresses, as they will be for all callsign accounts.
5. We will soon announce a cut-over date (we expect about six months from October 15, today) on which the CMS will begin rejecting un-secure (no password) connections for existing accounts.
--The Winlink Development Team