New Security Features

A number of new security features have recently been added to Arctic Reservations, to ensure that all data is kept secure and to help prevent malicious login attempts. This effort to increase security is due to the recently released credit card module. Since Arctic Reservations now handles important financial information for customers, it has become increasingly important to protect that data.

The first big change is an invisible one. The site now does more logging of activity and login attempts, to help identify unusual behavior or brute force attempts to gain access to the website. The software continually reviews this data using a number of strategies (including access frequency, etc), and will block access to certain users based on the perceived threat. This effectively prevents a brute force attack, where a hacker tries to gain access to the software by guessing passwords.

The second change involves offering a number of new options for controlling how users login to the system. Now below the login form is a link to show advanced options. These advanced options control how long a user will remain logged in, whether the session can transfer IP addresses and whether data should be cleared on browser exit. In addition, administrators can set defaults for each of these options from the settings page. When these new options were added, we lowered the default login duration and enabled IP address specific login, both of which help to boost security. More details on these options can be found in the new FAQ category.

Remember that security is also a huge responsibility of the end user. We can continue to add more and more security features, but if you pick “password” as your password, they will do no good. So just as a reminder, remember to pick a secure password and don’t provide your password to anyone (not even Arctic Reservations support). Some tips for secure passwords include:

  • It should not be a dictionary word.
  • You should include a number or symbol in your password.
  • Don’t use anything that can easily be guess about you (e.g., your zip code, your birthday, your address).
  • It should be at least seven characters long.