Synchronizing Forced Password Changes?

← Back to Stories (view on slashdot.org)

Synchronizing Forced Password Changes?

Posted by Cliff on Tuesday October 8, 2002 @08:47PM from the decentralized-password-maintenance dept.

aroobie asks: "I have several different types of servers running at my small office including Windows 2000 Advanced Server, VMS, IRIX, and Linux. My corporate parent wants to force passwords to change every 90 days, which is a good thing, but once a user changes his/her Windows password access to the other servers is denied until I make appropriate changes on the non-Windows servers. Sort of defeats the purpose of changing the password since each users has to give me their new password to make them match on on the servers. Has anyone found a way to synchronize passwords on different systems? Is there software available to do this?"

2 of 51 comments (clear)

Min score:

Reason:

Sort:

A Quick Dirty Solution by perljon · 2002-10-08 22:19 · Score: 4, Interesting

Software to automatically do this stuff is kind of expensive. YOu could roll your own package for pretty cheap, if you force everyone to change their password at the same place. For example, it would be easier to force all of your users to go to http://changepassword.yourorg.net to change their password.

Then, take their new password and set it in each system using perl (I'm sure it either has a library for each system you are talking about or you can drop out to a shell from perl to change passwords via the Unix shell.)

The hard part about using one system to change all passwords, ie, having all passwords set from you Windows Box or from your Unix shell is that without special software, each system does a pretty good job making sure you don't know what the password is by using several schemes to hide and encrypt it (that's important...). By forcing everyone to change it in one place, you avoid having to buy the propietary libraries which notify a central system of a password change.

If that sounds too complex, get ahold of me, and I'll be happy to help more for a small fee or some barter.

--
This isn't the sig you are looking for... Carry on...
Re:Password changing is ignorant by Bazzargh · 2002-10-08 23:55 · Score: 4, Interesting

Reminds me of one of my old corporate's security faux pas...I rarely used the crappy mainframe system, so quite often when I did my password had expired and I had to call the helpdesk to get it reset...

Me: I need a password reset
Drone: Fine, whats your name and secure PIN?
Me: John Doe, username ******, pin no ****
Drone: hang on...that doesnt appear to be correct, are you sure thats the PIN?
Me: Yes, I've been using that PIN for years[1]
Drone: ok, I'll reset your PIN to ****[2]
Me: thanks, can you reset my password then?
Drone: sure...your password is now ******. thanks for calling
*click*[3]

[1] herein being the first flaw in the security system. The passwords dont change, but if you can guess the PIN you can get it reset (and its only 4 digits)
[2] and here's the doozy. I could have been anyone, and now I have got the PIN reset. Internal security tried to get hold of me when I mentioned this incident on a company newsgroup, presumably to sack the person that reset my PIN.
[3] Mission accomplished, identity stolen. At this point I considered calling back claiming to be our venerable CEO.