Security Information for Release 3.1

Documentation Home | Desktop Client User Guide | Web Client User Guide | Support and Training
Questions
Are my passwords secure? How can I recover a lost or forgotten password? What is the recommended configuration for keeping my LDAP users' passwords secure? How can I secure the ScrumWorks Pro web client? How can I secure all client/server communication?

Documentation Home

Are my passwords secure?

ScrumWorks Pro stores encrypted passwords in its database. Only the encrypted passwords are ever transmitted from the client to the server, except for LDAP users. (LDAP users: see the LDAP section of this FAQ)


How can I recover a lost or forgotten password?

Passwords are stored using a one-way algorithm. This secures it against attackers, but also prevents recovery.

If a user loses or forgets thier password, the Global Administrator can reset it using the ScrumWorks Pro Desktop Client. If the Global Administrator loses or forgets their password, they will need to contact support for further instructions.


What is the recommended configuration for keeping my LDAP users' passwords secure?

  1. The ScrumWorks Pro server should be configured to connect to LDAP via SSL (LDAPS).
  2. The ScrumWorks Pro server should be configured to use HTTPS. If you are using LDAP, the passwords sent from the client to the server are sent as clear text (no encryption). This is because the LDAP server needs the original password to compare against its database. To prevent password sniffing, HTTPS is required for all client/server communication.


How can I secure the ScrumWorks Pro web client?

The ScrumWorks Pro server should be configured to use HTTPS. All clients should be directed to https://server:8443/scrumworks/webclient.


How can I secure all client/server communication?

Please see the guide on HTTPS Configuration.


Documentation Home | Desktop Client User Guide | Web Client User Guide | Support and Training

© 2008 Scrumworks, LLC. All rights reserved.