[horde] passwd and forced changes

Erling Preben Hansen erling at eph.dk
Fri Jan 3 15:27:49 UTC 2014 

  Citat af Ralf Lang <lang at b1-systems.de>:

> On 03.01.2014 15:20, Simon B wrote:
>>>> User forgets their password or account is compromised
>>>> Admin/helpdesk reset password and notify the user of the temporary
>>>> password.
>>>> Admin/helpdesk uses the console to set the Force_Change flag for that
>>>> email address/username
>>>> User logs into Horde with the temporary credentials.  Because of the
>>>> Force_Change flag user is unable to proceed to applications until the
>>>> password change (using the passwd modiule) is done.
>>>
>>> I don't like the temporary password thing much but it would work.
>>> But consider:
>>> If we need to send something to the user, we can send him a one-time
>>> ticket / link to the reset password screen. If we cannot reach the
user,
>>> we can use the "forgot password" question/answer.
>>
>> I'm less concerned with people who've forgotten their password and can
>> access the forgot password question/answer.
>>
>> I'm more concerned with:
>> - initial user login - i.e. we create a password (such as Password1234
>> and want the user to change it immediately)
>
> Case Understood. But this could easily be served with a dialog to let
> the admin change the forgot password phrase.
>
>> - account has been compromised and we've reset the password to
>> safhl$#HXs to prevent further unauthorised access, but when we give
>> the user this password we don't want them to just save it in the
>> browser and proceed - we actually want them to change it.
>
> In this case:
> Don't give him the password. Set an invalid password hash or random
> password and let the user go through "forgot password".
>
>> - Sometimes people forget what the password hint is trying to tell
>> them (I know I do).
>
> Case Understood. But this could easily be served with a dialog to let
> the admin change the forgot password phrase.
>
> Anyway. I understand: The admin should be able to
> lock users out until they reset password via list or typing the name
> list users which have been locked out
> send the user an authentication ticket (one time password) for the
> forced password reset
>
> --
> Ralf Lang
> Linux Consultant / Developer
> Tel.: +49-170-6381563
> Mail: lang at b1-systems.de
> B1 Systems GmbH
> Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.deGF: Ralph
> Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

one time passwd would be nice.
I use to setup user account with one password made by me, and request to
them to change it.
If I could do the account setup, and send them a one time passwd ticket,
with a message that they need to change passwd to continue access.
would be nice.
/erling

More information about the horde mailing list