[Freeipa-devel] [PATCH] confirm password
Andrew C. Dingman
adingman at redhat.com
Fri Sep 7 18:25:24 UTC 2007
On Fri, 2007-09-07 at 11:09 -0700, Pete Rowley wrote:
> > Except that it is useful when generating accounts (especially a large
> > number) and then printing the account information to hand to the user.
> > We had discussed being able to generate a pdf with the account
> > information for this purpose.
> >
> >
> Generating a unique password and then printing it out for easy
> compromise seems like something we definitely shouldn't be doing or
> encouraging. I believe current practice of setting the initial password
> tends to fall into two categories:
>
> 1) the end user is asked to type it in
> 2) it is deterministic
3) Generate an already-expired password which the user must change at
first login. Print the thing out and put it in their inbox. Since the
password has to be changed on first use, any compromise will be detected
by the user, who WILL contact the helpdesk because they want access to
their account.
In the case where a user expects the password change / new account, this
is probably far more secure than giving them a deterministic password,
since there's at least a communication channel to intercept rather than
simple common knowledge. It's also often far more practical than making
the user come to the admin to type the password themselves. Of course,
taking the paper out of the equation would be even better.
This was the *only* thing that satisfied all the assorted regulatory
bodies at my former employer. We couldn't make remote users type it in
themselves, and we weren't allowed to use deterministic passwords.
Besides, users often keep dump, predictable passwords like
'PassWord070907" if you give them out in the first place.
(Of course, all passwords suck, and I'd much rather see something like
smartcards and PKInit, but that's neither here nor there nor yet.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070907/1731fc22/attachment.sig>
More information about the Freeipa-devel
mailing list