Re: [ActiveDir] Notification containing new password

Wed, 03 Nov 2004 15:41:00 -0800

They used to track passwords here at a time before my arrival. And most users had the same 4 character password! Needless to say there is now a password policy that encourages the use of passphrases (passwords are bad, evil things). With the minimum password length we have set, users have to use a passphrase. They can remember "My dog's name is Red Rover" easily and no amount of current computing power of rainbow tables.

For any user that attempts to tell me their password/passphrase, I tell them that if they do I will logon as them and send an eMail to the entire company (as them) inviting everyone to an adult toy party at their house this Friday night.

----- Original Message ----- From: "ASB" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, November 03, 2004 10:34 AM
Subject: Re: [ActiveDir] Notification containing new password


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I would like to have the user's change their own passwords, but I
would also like to be able to know their new passwords.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ALARM! ALARM!!

I don't *ever* want to know someone else's password.  I don't *ever*
want someone else to have reason to believe that I have their
password, as this violates all sorts of security principles.

This violates the whole purpose of having a password in the first place.

If I ever need to get into an end-user system as their specific
account, when they happen to be unavailable, I'll change their
password at that time.  (Ensuring that I have good key recovery in
place for EFS usage)

Suffice it to say, your plans has Bad-Ideaâ written all over it.  I
would highly recommend that you pursue a different course of action.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Does anyone know of a solution? Maybe something like an email
generated by some sort of script with the new password?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This only sounds worse...

Not incidentally, the NET USER /RANDOM command supports the generation
of random passwords.

- ASB
 Cheap, Fast, Secure -- Pick Any TWO.
 http://www.ultratech-llc.com/KB/


On Wed, 3 Nov 2004 13:21:39 -0500, Matthew Crape
<[EMAIL PROTECTED]> wrote:

 Hi Group,

I have already delved into the archives and I couldn't find quite what I
was looking for. It is very possible that I looked over it, and if I did I
apologize in advance. Now, to my question: We are a fairly small shop here
(about 40 users) and the traditional way of doing a password change was to
collect new passwords from everyone and then I change them in AD as well as
in a couple of other places (i.e. like synchronizing them with our
non-Exchange mail server). We did this so that in case somebody was away on
vacation and we needed to log on to their computer (with their profile) we
could do it. It saves the hassle of say, logging in with a domain account
and then manually opening up a PST file or something like that.

I would like to have the user's change their own passwords, but I would
also like to be able to know their new passwords. We have had numerous
issues in the past with people telling us their wrong passwords, so I would
like to get it straight from AD if possible. Right now the only solution I
can see is cracking all of the passwords, but that isn't the most feasible
way.

Does anyone know of a solution? Maybe something like an email generated
by some sort of script with the new password? Sorry if this email dragged on
for a bit. Any help is appreciated. Thanks. 
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to