Forgot password option for users (process)

[Guest]

I am looking for information on a way to create a "Forgot Password" option
for users when attempting to login to a workstation. The options that have
been brought up are to modify the MSGINA to have a "Forgot Password" button
to allow the retrieval or generation of the password.

The second option is to create a "Forgot Password" profile that users can
log in with.

I would assume that with both options the users will have to enter in some
valid info to retrieve a new password or to display the current password.

My questions are what are the best practices in regards to this and where
can I go for more information?

 

[Doug Knox MS-MVP]

There is no way to reveal the stored user logon password (short of a program designed to crack passwords).

XP has the capability to use a Password Recovery Disk. See Help and Support for "forgot password".

 

[Guest]

Doug,

This is for an Enterprise solution. We want a process in place so the end
user will not have to contact helpdesk.

Any other pointers would be great.

Thanks
Rob

 

[Doug Knox MS-MVP]

Your question was for best practices. This is the best practice. Each user should create and keep safe a password reset disk.

 

[Robert Moir]

Your question was for best practices. This is the best practice.
Each user should create and keep safe a password reset disk.

I'd say that was totally impractical as a solution in a large enterprise
network.

 

[Doug Knox MS-MVP]

The only other option is to have the Help Desk use a domain admin account and reset the password, with all the usual warnings about encrypted files, encrypted e-mails and stored browser passwords.

 

[Guest]

Doug,

thanks for your reply but I don't thik it is viable to ask 40000 users use a
password reset disk. There has got to be another way.

Thanks
Rob

 

[Robert Moir]

Doug,

This is for an Enterprise solution. We want a process in place so
the end user will not have to contact helpdesk.

Any other pointers would be great.

Creating an unmanaged an unowned account that anyone can log into is never
going to be a good idea.

Creating a custom GINA could swing it but it will take a lot of work, and a
secure password resetting system is going to contain a lot of overhead that
isn't going to fit well into that model perhaps.

I've been involved in designing a similar tool in the past year and we found
it to be quite involved, and we're looking at placing dedicated "automated
helpdesk kiosk" machines in public areas of the building because we found
that the full burden of an app that can securely scan a user's company ID
card to verify who they are and then ask them a security question of their
choice to be quite intensive and hence needing a full application framework.

[note to anyone who is about to reply and comment on how bad an idea this is
because its insecure and etc..., there has been a lot more thought put into
the project than i'm posting here and most of that thought has been on the
security angle]

Perhaps now is the time to consider biometrics so that users don't have to
remember passwords at all, or have you looked at some of the "commercial"
solutions out there that provide the sort of "automated kiosk" that i talk
about above?


--

 

[Robert Moir]

The only other option is to have the Help Desk use a domain admin
account and reset the password, with all the usual warnings about
encrypted files, encrypted e-mails and stored browser passwords.

There are a good few options out there, some of which I outline in my other
reply on this thread. In a properly managed domain environment, which is
what I'd expect an "enterprise" network to be, things like EFS encryption
should be very well managed so that the IT team can either recover such
documents if something happens to the original account or EFS should be
hobbled so that users can't turn it on and burn themselves.

Incidentally, since Win 2000, when ever has a frontline helpdesk call
handler needed domain admin to simply reset a password?

--

 

[Doug Knox MS-MVP]

I don't deal with domains, other than our IT department, and they always insist it takes a domain admin account. I'll defer to your experience in this.

 

[Guest]

Robert,

Thank you for the reply. This is the kind of help I was looking for. Did
you look into Winlogon? I have found this article:

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prmc_str_wtlu.asp

TO answer your questions, Biometrics have not been looked at and I don't
think that is an option at this point. However, this project is just
starting and I will ask.

Possible make a custom GPO????

This is all new to me so your thoughts are greatly appreciated.

Thanks

ROB

Doug,

This is for an Enterprise solution. We want a process in place so
the end user will not have to contact helpdesk.

Any other pointers would be great.

Creating an unmanaged an unowned account that anyone can log into is never
going to be a good idea.

Creating a custom GINA could swing it but it will take a lot of work, and a
secure password resetting system is going to contain a lot of overhead that
isn't going to fit well into that model perhaps.

I've been involved in designing a similar tool in the past year and we found
it to be quite involved, and we're looking at placing dedicated "automated
helpdesk kiosk" machines in public areas of the building because we found
that the full burden of an app that can securely scan a user's company ID
card to verify who they are and then ask them a security question of their
choice to be quite intensive and hence needing a full application framework.

[note to anyone who is about to reply and comment on how bad an idea this is
because its insecure and etc..., there has been a lot more thought put into
the project than i'm posting here and most of that thought has been on the
security angle]

Perhaps now is the time to consider biometrics so that users don't have to
remember passwords at all, or have you looked at some of the "commercial"
solutions out there that provide the sort of "automated kiosk" that i talk
about above?


--
--
Rob Moir
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
Kazaa - Software update services for your Viruses and Spyware.

 

[Robert Moir]

Robert,

Thank you for the reply. This is the kind of help I was looking for.
Did you look into Winlogon? I have found this article:

We considered it as a "brainstorming" option before we designed everything
we felt our solution needed, and then once the design was finished it was
clear that we needed a "full-on client server application" model to handle
all the stuff we wanted to achieve so we never went back to modifying the
startup process.

TO answer your questions, Biometrics have not been looked at and I
don't think that is an option at this point. However, this project
is just starting and I will ask.

Biometrics are expensive, as are smart cards. However, they will have a very
large saving on your 1st line helpdesk support function as password reset
calls will nose-dive (but not disappear).

The advantage of things like these is that you're taking away the
fallibility of the human memory as a factor in authentication and instead
working on proving who a person is more directly (biometrics) or by allowing
them to carry a token that authenticates on their behalf (smartcard).

One simply can't "forget" their retina or fingerprint and leave it at home,
and while you can leave a smartcard at home, if you also combine it with
site security employee ID photo cards and door access cards then you've just
produced something that most employees are probably going to remember 99% of
the time or their working day will be very difficult.

But all very expensive. Which is why we decided against it.

Possible make a custom GPO????

a GPO effectively delivers applications or changes settings on the OS or
applications that have been delivered already... there isn't a simple
setting you can "tweak" to do what you or I want, in and of itself.

This is all new to me so your thoughts are greatly appreciated.

As for the commercial software, there are lots about. Try this one for a
start.... (You'll notice they've implemented a few of your ideas here, which
makes it good to know you're on the right track!)
http://www.psynch.com/overview/features.html


--

 

[Pentium]

Like biometrics, what about an employee barcode reader, that's assuming
employee ID cards are barcoded. A remailer would not work, because anyone,
if they knew the employees username could find out his/her password, and
that's also a problem because if he/she needs the password to get into the
workstation to retrieve said email to get the password ... it's moot. Card
swiper, biometrics are the answer. They sell cheap fingerprint scanners
now.

 

[Guest]

Robert,

Thank you very much for all your support and information. I will probably
be going to a meeting on this Monday and will bring up the points you have
made. IMO they are all valid and after the meeting, I will have more details.

Cheers
Rob

 

[Jupiter Jones [MVP]]

Be careful of the cheap fingerprint scanners.
Some are intended for convenience only and should not be used where security
is an issue.

 

[Galen]

In Jupiter Jones [MVP] <[email protected]> had this to say:

My reply is at the bottom of your sent message:

Be careful of the cheap fingerprint scanners.
Some are intended for convenience only and should not be used where
security is an issue.

Seconded. I was recently reading a very insightful article but didn't keep
the magazine. I did however bookmark one of the links:

http://www.eff.org/Privacy/Surveillance/biometrics/

Biometrics isn't quite ready for the prime time I don't think - the most
important thing is that if you lose it then it's gone for life.

The above site's pretty biased but it's got some good information that I
thought I'd pass along as for reasons to think about avoiding biometrics for
anything with important security concerns such as IP or financial data.

Galen
--

"You know that a conjurer gets no credit when once he has explained his
trick; and if I show you too much of my method of working, you will
come to the conclusion that I am a very ordinary individual after all."

Sherlock Holmes

 

[Bruce Chambers]

I am looking for information on a way to create a "Forgot Password" option
for users when attempting to login to a workstation. The options that have
been brought up are to modify the MSGINA to have a "Forgot Password" button
to allow the retrieval or generation of the password.

Redesign the OS just to accommodate a twit who forgets his password?
That seems somewhat extreme, and may even be a violation of the EULA.

The second option is to create a "Forgot Password" profile that users can
log in with.

If the users can't remember their own passwords, how can you count on
them to remember the password for an account that they don't use every day?

I would assume that with both options the users will have to enter in some
valid info to retrieve a new password or to display the current password.

My questions are what are the best practices in regards to this and where
can I go for more information?

"Best practice" is to teach users not to forget their passwords.

The two options you've mentioned would completely compromise your
security and eliminate the point for having any passwords at all.

How to Log On to Windows XP If You Forget Your Password or Your Password
Expires
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321305


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Robert Moir]

Redesign the OS just to accommodate a twit who forgets his password?
That seems somewhat extreme, and may even be a violation of the EULA.

Or it may not be a violation of anything. MSDN includes documentation,
examples, support and help for people who wish to write their own custom
GINA.

 

[Bruce Chambers]

Bruce Chambers wrote:



Or it may not be a violation of anything. MSDN includes documentation,
examples, support and help for people who wish to write their own custom
GINA.

The OP didn't mention adding another GINA (which I know is
permissible); he specifically asked about modifying MSGINA. As the EULA
contains specific wording to prohibit reverse engineering such as this
task would entail, I felt it best that he be warned of the potential
problem.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Pentium]

Most passwords office types (non IT) use are crackable (such aspet names,
birthdays etc.) and employees have to understand that. You can spend
hundreds of thousands coming up with ways to secure the process, but it can
be compromised by one who uses "fluffy" as a password. IT people
(understandable) want the average joe to remember, or use passes such as
"5TrdG816Jkl00Doo". Teach employees to use ingrained memorable combinations
from childhood, password approaching 300bit USE full address and zip codes
with old childhood phone numbers as passwords. Most people remember those
like it was yesterday. If you don't want to pay for a help desk to remind
people, and the questioner said 40000 people are involved, is something
wrong with that logic? Better to at least have one desk person who's the
keeper of the pass than have forty-thousand people potentially screw your
network. The CEO might want to take 30Gs off his bonus to pay for such a
person. But teaching your employees to use long memorable "addresses", from
their past is the best.