Re: Stronger passwords
a...@novell.com
Hash: SHA1
If you are getting warnings about duplicate passwords then simply
requiring a change to be more than 'changeme' to 'changeme123' isn't going
to help that much. The problem is that somewhere in your environment a
system is allowing a password to be used verbatim despite it having been
used in the past. This happens when you have password policies (or
password histories) out of sync between environments, so for example the
ID vault is often newer than the production tree and as a result does not
have the full set of password history that the production environment
does. If you allow users to change passwords directly in the vault (or in
some environment that goes through the vault before it hits production)
then the password may be allowed there but then fail synchronizing to
production. Either override the error or make sure password histories are
in sync.
Regarding your original question (though I'm not sure it's your actual
problem) I do not know of a way to do what you are after aside from
writing your own web application to do the complexity test, and that could
be fairly complex. The easier way is via training but users will not
often go out of their way to create complex passwords just because they
like you. Another option is to audit passwords after the fact, and
perhaps reward users who do a good job with complexity. For example the
following CoolSolution (shameless plug) was made for password complexity
"auditing":
http://www.novell.com/coolsolutions/tools/19403.html
Basically it spits out a report, or softs, regarding the complexity of
passwords of users migrated through the driver. You could have this run
once in a while and then have a script find passwords that are weaker than
you would like and nag those users. Not a perfect solution, but it's an
option. Another option would be to submit an enhancement request for this
kind of feature. http://support.novell.com/ has a link on the side
labeled 'Contribute' and then 'Request Enhancement' is likely something
that will interest you.
Good luck.
sebsecure wrote:
> Hi
> Long story short. I want to stop users from changing password from
> "changeme" to "changeme123" and they must change it to something totally
> different
> Exert from password policy below
>
> Require unique passwords true
> Number of days before password expires 30
> Limit the number of grace logins allowed 8
> Minimum number of characters in password 7
> Maximum number of characters in password 30
> Minimum number of unique characters 2
> Allow numeric characters in password true
> Disallow numeric as first character true
> Disallow numeric as last character false
> Allow the password to be case sensitive true
> Allow non-alphanumeric characters in the password true
> Disallow non-alphanumeric character as first character true
> Disallow non-alphanumeric character as last character true
> Allow non-US ASCII characters false
>
>
> I can recall from a previous life I used to be able to do something to
> force them to have a certain amount of unique characters when changing
> their password and it would stop them changing it, but maybe that was a
> third party util or using nmas/nici or something. Reason we are getting
> a lot of IDM email Warnings DSERR_DUPLICATE_PASSWORD
>
> Second is there any way we can modify the default text notifying them
> to change passwords when grace logins are being consumed. IE You have
> X grace logins left DO NOT IGNORE THIS CHANGE IT NOW!
>
> We have tried using comms to address these issues, but .......
>
> edir 8.7.3.10
> ss206
> NovClient 4.9.1sp4-5
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJKnSkQAAoJEF+XTK08PnB5SmUP/29GKm+g1PA0TQBUirSNTMCt
4iteJBFsAUs0ivGNEb4UDtHNKQuspEXRa3gi5bWztQIBC4goFFQx+uuwXZ8ul59H
fremrEM8L3bbNbU8Ki36sXZKV02FVeVkHOkLtKYDSRRd+IrLqJ2NBgQC1fwOovjF
B8c6pZDmqdCuaIMqbFj+shFaxA+nY0LL4mQzXQBEe3Km/4z7NBPemGE/bUZ1anHL
DWWpzfMERK0xrPEUYaZ77bnhQXXP8J3/SNyAJHBzP7YJH+9k9qu4JlA1d2MojfTv
Kr6WtAFhiF2psM08FtMdEp25YcE1u9D9oNM7suiKkZr/KSBF/TOwMvX6bepUj4kj
8qdvkz7kHvy/s8wPhH9K7mValPC3KMAmpW3IvZDgf6oKSpoYnYXqD1+EqRXWCLT9
itG4NNpM4ekCwzAs7Aowum30N2xFczVpR8wzzVKepM3rKLn4KDWtWZClvZaTlQMY
995FYD/9Jmj89aOyCHLBeuc9p1GXD6pTKK18ACH4Wg8ba4PFvAd9zdTjh5A+D6+s
ocDOiQu5mJivfACRYilGIAX+Kh5wJ5RxjRF4x7BJgJUkOcTXrsaSs/HUeDT2lkr2
YCDmpK2S5fqhWLgxTmEzJEq/dbgUmIgtpcLJ3uQmNO71yCBv3bssNn0XEXY575Kx
P9ClPabzWxvggkPPLZD+
=CKtA
-----END PGP SIGNATURE-----
you...@hotmail.com
'ForceGraceLoginPasswordChange' registry setting? The setting also exists
in the client, under Advanced Login, 'Force Grace Login password change'.
That's about all you can do with grace logins, to my knowledge.
"sebsecure" <sebs...@no-mx.forums.novell.com> wrote in message
news:sebsecur...@no-mx.forums.novell.com...
David Gersic
> The issue with the grace logins is that users are authenticating against
> the VAULT to use their VPN and despite being prompted from the PROD tree
> to change their password they don't and then consume the rest of the
> grace logins from the VAULT.
If you have prod and vault trees, you have IDM? If so, you can pretty
easily add a policy (use a Null driver) that watches for decrementing
Grace Login Remaining and sends them an email notification that they need
to change their password now. We do that here, and it's remarkably
successful.
Post over in novell.support.identity-manager.engine-drivers if you need
help creating this.
--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com
Please post questions in the newsgroups. No support provided via email.