PDF

swipe to navigate

Initializing Passwords

A major problem in activating a new system is selecting a suitable initial password for users, and communicating that initial value to users securely.

Setting the initial password value to a user's SSN or login ID is insecure. Setting a stronger password is better, but communicating that initial value to users by e-mail is also insecure.

With Password Manager, users need not know the initial password value to their new account. Instead, they can be instructed by e-mail to change all of their passwords, including the new one, with Password Manager. This way, they change their password from an initial random string (which they do not know) to a strong value securely, after proper authentication (with another system's password or using PII known only to the user).

For example, new users of an LDAP directory might receive an e-mail with the text:

Acme, Inc. has activated a new corporate directory.  New applications,
and our Intranet, will verify your identity using a user ID and password
on this directory.
To activate your corporate directory account, click on the link below,
enter your windows network login ID and password, and select a new
password for all of your accounts.  You will then be able to use
the new password both for the systems with which you are already
familiar, and for the new corporate directory.
http://password.acme.com/hipm/psf.exe

Users would follow the link, type their existing Windows login ID and password, and select a new password. They will then be able to log into every system, including the new LDAP directory, with the new password. Thus migrating users can be done efficiently and securely.

Maintaining Passwords During the Transition

In the event of a directory migration (for example, upgrading a domain from Windows 2008 Active Directory to Windows 2016 Active Directory), it may be useful to keep running both systems for a transition period.

In these cases, the password synchronization features of Password Manager will significantly reduce the complexity for end users, as they won't really have to understand which resources use which directory (and hence which password).

This will directly reduce the support load produced by the transition period.


PDF

Comment via LinkedIn