Forgot password option for users (process)

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I am looking for information on a way to create a "Forgot Password" option
for users when attempting to login to a workstation. The options that have
been brought up are to modify the MSGINA to have a "Forgot Password" button
to allow the retrieval or generation of the password.

The second option is to create a "Forgot Password" profile that users can
log in with.

I would assume that with both options the users will have to enter in some
valid info to retrieve a new password or to display the current password.

My questions are what are the best practices in regards to this and where
can I go for more information?

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

There is no way to reveal the stored user logon password (short of a program designed to crack passwords).

XP has the capability to use a Password Recovery Disk. See Help and Support for "forgot password".

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"RobJaudon" <RobJaudon@discussions.microsoft.com> wrote in message news:388F9092-0E87-4671-8A08-FE39AF79B1B6@microsoft.com...
>
> I am looking for information on a way to create a "Forgot Password" option
> for users when attempting to login to a workstation. The options that have
> been brought up are to modify the MSGINA to have a "Forgot Password" button
> to allow the retrieval or generation of the password.
>
> The second option is to create a "Forgot Password" profile that users can
> log in with.
>
> I would assume that with both options the users will have to enter in some
> valid info to retrieve a new password or to display the current password.
>
> My questions are what are the best practices in regards to this and where
> can I go for more information?
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Doug,

This is for an Enterprise solution. We want a process in place so the end
user will not have to contact helpdesk.

Any other pointers would be great.

Thanks
Rob

"Doug Knox MS-MVP" wrote:

> There is no way to reveal the stored user logon password (short of a program designed to crack passwords).
>
> XP has the capability to use a Password Recovery Disk. See Help and Support for "forgot password".
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "RobJaudon" <RobJaudon@discussions.microsoft.com> wrote in message news:388F9092-0E87-4671-8A08-FE39AF79B1B6@microsoft.com...
> >
> > I am looking for information on a way to create a "Forgot Password" option
> > for users when attempting to login to a workstation. The options that have
> > been brought up are to modify the MSGINA to have a "Forgot Password" button
> > to allow the retrieval or generation of the password.
> >
> > The second option is to create a "Forgot Password" profile that users can
> > log in with.
> >
> > I would assume that with both options the users will have to enter in some
> > valid info to retrieve a new password or to display the current password.
> >
> > My questions are what are the best practices in regards to this and where
> > can I go for more information?
> >
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Robert,

Thank you for the reply. This is the kind of help I was looking for. Did
you look into Winlogon? I have found this article:

http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prmc_str_wtlu.asp

TO answer your questions, Biometrics have not been looked at and I don't
think that is an option at this point. However, this project is just
starting and I will ask.

Possible make a custom GPO????

This is all new to me so your thoughts are greatly appreciated.

Thanks

ROB


"Robert Moir" wrote:

> RobJaudon wrote:
> > Doug,
> >
> > This is for an Enterprise solution. We want a process in place so
> > the end user will not have to contact helpdesk.
> >
> > Any other pointers would be great.
>
> Creating an unmanaged an unowned account that anyone can log into is never
> going to be a good idea.
>
> Creating a custom GINA could swing it but it will take a lot of work, and a
> secure password resetting system is going to contain a lot of overhead that
> isn't going to fit well into that model perhaps.
>
> I've been involved in designing a similar tool in the past year and we found
> it to be quite involved, and we're looking at placing dedicated "automated
> helpdesk kiosk" machines in public areas of the building because we found
> that the full burden of an app that can securely scan a user's company ID
> card to verify who they are and then ask them a security question of their
> choice to be quite intensive and hence needing a full application framework.
>
> [note to anyone who is about to reply and comment on how bad an idea this is
> because its insecure and etc..., there has been a lot more thought put into
> the project than i'm posting here and most of that thought has been on the
> security angle]
>
> Perhaps now is the time to consider biometrics so that users don't have to
> remember passwords at all, or have you looked at some of the "commercial"
> solutions out there that provide the sort of "automated kiosk" that i talk
> about above?
>
>
> --
> --
> Rob Moir
> Website - http://www.robertmoir.co.uk
> Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
> Kazaa - Software update services for your Viruses and Spyware.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Your question was for best practices. This is the best practice. Each user should create and keep safe a password reset disk.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"RobJaudon" <RobJaudon@discussions.microsoft.com> wrote in message news:0A25BF55-16C0-463B-9603-B014726E05FA@microsoft.com...
> Doug,
>
> This is for an Enterprise solution. We want a process in place so the end
> user will not have to contact helpdesk.
>
> Any other pointers would be great.
>
> Thanks
> Rob
>
> "Doug Knox MS-MVP" wrote:
>
>> There is no way to reveal the stored user logon password (short of a program designed to crack passwords).
>>
>> XP has the capability to use a Password Recovery Disk. See Help and Support for "forgot password".
>>
>> --
>> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
>> Win 95/98/Me/XP Tweaks and Fixes
>> http://www.dougknox.com
>> --------------------------------
>> Per user Group Policy Restrictions for XP Home and XP Pro
>> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
>> --------------------------------
>> Please reply only to the newsgroup so all may benefit.
>> Unsolicited e-mail is not answered.
>>
>> "RobJaudon" <RobJaudon@discussions.microsoft.com> wrote in message news:388F9092-0E87-4671-8A08-FE39AF79B1B6@microsoft.com...
>> >
>> > I am looking for information on a way to create a "Forgot Password" option
>> > for users when attempting to login to a workstation. The options that have
>> > been brought up are to modify the MSGINA to have a "Forgot Password" button
>> > to allow the retrieval or generation of the password.
>> >
>> > The second option is to create a "Forgot Password" profile that users can
>> > log in with.
>> >
>> > I would assume that with both options the users will have to enter in some
>> > valid info to retrieve a new password or to display the current password.
>> >
>> > My questions are what are the best practices in regards to this and where
>> > can I go for more information?
>> >
>>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Doug,

thanks for your reply but I don't thik it is viable to ask 40000 users use a
password reset disk. There has got to be another way.

Thanks
Rob

"Doug Knox MS-MVP" wrote:

> Your question was for best practices. This is the best practice. Each user should create and keep safe a password reset disk.
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "RobJaudon" <RobJaudon@discussions.microsoft.com> wrote in message news:0A25BF55-16C0-463B-9603-B014726E05FA@microsoft.com...
> > Doug,
> >
> > This is for an Enterprise solution. We want a process in place so the end
> > user will not have to contact helpdesk.
> >
> > Any other pointers would be great.
> >
> > Thanks
> > Rob
> >
> > "Doug Knox MS-MVP" wrote:
> >
> >> There is no way to reveal the stored user logon password (short of a program designed to crack passwords).
> >>
> >> XP has the capability to use a Password Recovery Disk. See Help and Support for "forgot password".
> >>
> >> --
> >> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
> >> Win 95/98/Me/XP Tweaks and Fixes
> >> http://www.dougknox.com
> >> --------------------------------
> >> Per user Group Policy Restrictions for XP Home and XP Pro
> >> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> >> --------------------------------
> >> Please reply only to the newsgroup so all may benefit.
> >> Unsolicited e-mail is not answered.
> >>
> >> "RobJaudon" <RobJaudon@discussions.microsoft.com> wrote in message news:388F9092-0E87-4671-8A08-FE39AF79B1B6@microsoft.com...
> >> >
> >> > I am looking for information on a way to create a "Forgot Password" option
> >> > for users when attempting to login to a workstation. The options that have
> >> > been brought up are to modify the MSGINA to have a "Forgot Password" button
> >> > to allow the retrieval or generation of the password.
> >> >
> >> > The second option is to create a "Forgot Password" profile that users can
> >> > log in with.
> >> >
> >> > I would assume that with both options the users will have to enter in some
> >> > valid info to retrieve a new password or to display the current password.
> >> >
> >> > My questions are what are the best practices in regards to this and where
> >> > can I go for more information?
> >> >
> >>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The only other option is to have the Help Desk use a domain admin account and reset the password, with all the usual warnings about encrypted files, encrypted e-mails and stored browser passwords.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Robert Moir" <robspamtrap+msnews@gmail.com> wrote in message news:OlK40LYtFHA.3752@TK2MSFTNGP09.phx.gbl...
> Doug Knox MS-MVP wrote:
>> Your question was for best practices. This is the best practice.
>> Each user should create and keep safe a password reset disk.
>
> I'd say that was totally impractical as a solution in a large enterprise
> network.
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I don't deal with domains, other than our IT department, and they always insist it takes a domain admin account. I'll defer to your experience in this.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"Robert Moir" <robspamtrap+msnews@gmail.com> wrote in message news:%23GOS5RYtFHA.3720@TK2MSFTNGP14.phx.gbl...
> Doug Knox MS-MVP wrote:
>> The only other option is to have the Help Desk use a domain admin
>> account and reset the password, with all the usual warnings about
>> encrypted files, encrypted e-mails and stored browser passwords.
>
> There are a good few options out there, some of which I outline in my other
> reply on this thread. In a properly managed domain environment, which is
> what I'd expect an "enterprise" network to be, things like EFS encryption
> should be very well managed so that the IT team can either recover such
> documents if something happens to the original account or EFS should be
> hobbled so that users can't turn it on and burn themselves.
>
> Incidentally, since Win 2000, when ever has a frontline helpdesk call
> handler needed domain admin to simply reset a password?
>
> --
> --
> Rob Moir
> Website - http://www.robertmoir.co.uk
> Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
> Kazaa - Software update services for your Viruses and Spyware.
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Like biometrics, what about an employee barcode reader, that's assuming
employee ID cards are barcoded. A remailer would not work, because anyone,
if they knew the employees username could find out his/her password, and
that's also a problem because if he/she needs the password to get into the
workstation to retrieve said email to get the password ... it's moot. Card
swiper, biometrics are the answer. They sell cheap fingerprint scanners
now.
"RobJaudon" <RobJaudon@discussions.microsoft.com> wrote in message
news:388F9092-0E87-4671-8A08-FE39AF79B1B6@microsoft.com...
>
> I am looking for information on a way to create a "Forgot Password" option
> for users when attempting to login to a workstation. The options that
> have
> been brought up are to modify the MSGINA to have a "Forgot Password"
> button
> to allow the retrieval or generation of the password.
>
> The second option is to create a "Forgot Password" profile that users can
> log in with.
>
> I would assume that with both options the users will have to enter in some
> valid info to retrieve a new password or to display the current password.
>
> My questions are what are the best practices in regards to this and where
> can I go for more information?
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Robert,

Thank you very much for all your support and information. I will probably
be going to a meeting on this Monday and will bring up the points you have
made. IMO they are all valid and after the meeting, I will have more details.

Cheers
Rob

"Robert Moir" wrote:

> RobJaudon wrote:
> > Robert,
> >
> > Thank you for the reply. This is the kind of help I was looking for.
> > Did you look into Winlogon? I have found this article:
>
> We considered it as a "brainstorming" option before we designed everything
> we felt our solution needed, and then once the design was finished it was
> clear that we needed a "full-on client server application" model to handle
> all the stuff we wanted to achieve so we never went back to modifying the
> startup process.
>
> > TO answer your questions, Biometrics have not been looked at and I
> > don't think that is an option at this point. However, this project
> > is just starting and I will ask.
>
> Biometrics are expensive, as are smart cards. However, they will have a very
> large saving on your 1st line helpdesk support function as password reset
> calls will nose-dive (but not disappear).
>
> The advantage of things like these is that you're taking away the
> fallibility of the human memory as a factor in authentication and instead
> working on proving who a person is more directly (biometrics) or by allowing
> them to carry a token that authenticates on their behalf (smartcard).
>
> One simply can't "forget" their retina or fingerprint and leave it at home,
> and while you can leave a smartcard at home, if you also combine it with
> site security employee ID photo cards and door access cards then you've just
> produced something that most employees are probably going to remember 99% of
> the time or their working day will be very difficult.
>
> But all very expensive. Which is why we decided against it.
>
> > Possible make a custom GPO????
>
> a GPO effectively delivers applications or changes settings on the OS or
> applications that have been delivered already... there isn't a simple
> setting you can "tweak" to do what you or I want, in and of itself.
>
> > This is all new to me so your thoughts are greatly appreciated.
>
> As for the commercial software, there are lots about. Try this one for a
> start.... (You'll notice they've implemented a few of your ideas here, which
> makes it good to know you're on the right track!)
> http://www.psynch.com/overview/features.html
>
>
> --
> --
> Rob Moir
> Website - http://www.robertmoir.co.uk
> Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
> Kazaa - Software update services for your Viruses and Spyware.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Be careful of the cheap fingerprint scanners.
Some are intended for convenience only and should not be used where security
is an issue.

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar
http://www.dts-l.org


"Pentium" <pent@anycomp.info> wrote in message
news:%23UWokKatFHA.3080@TK2MSFTNGP15.phx.gbl...
> Like biometrics, what about an employee barcode reader, that's assuming
> employee ID cards are barcoded. A remailer would not work, because
> anyone, if they knew the employees username could find out his/her
> password, and that's also a problem because if he/she needs the password
> to get into the workstation to retrieve said email to get the password ...
> it's moot. Card swiper, biometrics are the answer. They sell cheap
> fingerprint scanners now.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

RobJaudon wrote:
> I am looking for information on a way to create a "Forgot Password" option
> for users when attempting to login to a workstation. The options that have
> been brought up are to modify the MSGINA to have a "Forgot Password" button
> to allow the retrieval or generation of the password.
>


Redesign the OS just to accommodate a twit who forgets his password?
That seems somewhat extreme, and may even be a violation of the EULA.


> The second option is to create a "Forgot Password" profile that users can
> log in with.
>


If the users can't remember their own passwords, how can you count on
them to remember the password for an account that they don't use every day?


> I would assume that with both options the users will have to enter in some
> valid info to retrieve a new password or to display the current password.
>
> My questions are what are the best practices in regards to this and where
> can I go for more information?
>


"Best practice" is to teach users not to forget their passwords.

The two options you've mentioned would completely compromise your
security and eliminate the point for having any passwords at all.

How to Log On to Windows XP If You Forget Your Password or Your Password
Expires
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321305


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[galen]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In news:OrC9GhatFHA.2064@TK2MSFTNGP09.phx.gbl,
Jupiter Jones [MVP] <jones_jupiter@hotnomail.com> had this to say:

My reply is at the bottom of your sent message:

> Be careful of the cheap fingerprint scanners.
> Some are intended for convenience only and should not be used where
> security is an issue.
>
>
> "Pentium" <pent@anycomp.info> wrote in message
> news:%23UWokKatFHA.3080@TK2MSFTNGP15.phx.gbl...
>> Like biometrics, what about an employee barcode reader, that's
>> assuming employee ID cards are barcoded. A remailer would not work,
>> because anyone, if they knew the employees username could find out
>> his/her password, and that's also a problem because if he/she needs
>> the password to get into the workstation to retrieve said email to
>> get the password ... it's moot. Card swiper, biometrics are the
>> answer. They sell cheap fingerprint scanners now.

Seconded. I was recently reading a very insightful article but didn't keep
the magazine. I did however bookmark one of the links:

http://www.eff.org/Privacy/Surveillance/biometrics/

Biometrics isn't quite ready for the prime time I don't think - the most
important thing is that if you lose it then it's gone for life.

The above site's pretty biased but it's got some good information that I
thought I'd pass along as for reasons to think about avoiding biometrics for
anything with important security concerns such as IP or financial data.

Galen
--

"You know that a conjurer gets no credit when once he has explained his
trick; and if I show you too much of my method of working, you will
come to the conclusion that I am a very ordinary individual after all."

Sherlock Holmes

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Robert Moir wrote:
> Bruce Chambers wrote:
>
>
>
> Or it may not be a violation of anything. MSDN includes documentation,
> examples, support and help for people who wish to write their own custom
> GINA.
>
>
>

The OP didn't mention adding another GINA (which I know is
permissible); he specifically asked about modifying MSGINA. As the EULA
contains specific wording to prohibit reverse engineering such as this
task would entail, I felt it best that he be warned of the potential
problem.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Most passwords office types (non IT) use are crackable (such aspet names,
birthdays etc.) and employees have to understand that. You can spend
hundreds of thousands coming up with ways to secure the process, but it can
be compromised by one who uses "fluffy" as a password. IT people
(understandable) want the average joe to remember, or use passes such as
"5TrdG816Jkl00Doo". Teach employees to use ingrained memorable combinations
from childhood, password approaching 300bit USE full address and zip codes
with old childhood phone numbers as passwords. Most people remember those
like it was yesterday. If you don't want to pay for a help desk to remind
people, and the questioner said 40000 people are involved, is something
wrong with that logic? Better to at least have one desk person who's the
keeper of the pass than have forty-thousand people potentially screw your
network. The CEO might want to take 30Gs off his bonus to pay for such a
person. But teaching your employees to use long memorable "addresses", from
their past is the best.

"RobJaudon" <RobJaudon@discussions.microsoft.com> wrote in message
news:388F9092-0E87-4671-8A08-FE39AF79B1B6@microsoft.com...
>
> I am looking for information on a way to create a "Forgot Password" option
> for users when attempting to login to a workstation. The options that
> have
> been brought up are to modify the MSGINA to have a "Forgot Password"
> button
> to allow the retrieval or generation of the password.
>
> The second option is to create a "Forgot Password" profile that users can
> log in with.
>
> I would assume that with both options the users will have to enter in some
> valid info to retrieve a new password or to display the current password.
>
> My questions are what are the best practices in regards to this and where
> can I go for more information?
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Robert,

This is true. Prior to XP we completely redid the NT GINA and suffered no
ill effects from MS.

"Robert Moir" wrote:

> Bruce Chambers wrote:
> > RobJaudon wrote:
> >> I am looking for information on a way to create a "Forgot Password"
> >> option for users when attempting to login to a workstation. The
> >> options that have been brought up are to modify the MSGINA to have a
> >> "Forgot Password" button to allow the retrieval or generation of the
> >> password.
> >
> >
> > Redesign the OS just to accommodate a twit who forgets his password?
> > That seems somewhat extreme, and may even be a violation of the EULA.
>
> Or it may not be a violation of anything. MSDN includes documentation,
> examples, support and help for people who wish to write their own custom
> GINA.
>
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Bruce,

Forgive me for not explaining the problem. I tried to explain it the best I
could and I thank all of you for all of your pointers.

"Bruce Chambers" wrote:

> Robert Moir wrote:
> > Bruce Chambers wrote:
> >
> >
> >
> > Or it may not be a violation of anything. MSDN includes documentation,
> > examples, support and help for people who wish to write their own custom
> > GINA.
> >
> >
> >
>
> The OP didn't mention adding another GINA (which I know is
> permissible); he specifically asked about modifying MSGINA. As the EULA
> contains specific wording to prohibit reverse engineering such as this
> task would entail, I felt it best that he be warned of the potential
> problem.
>
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> You can have peace. Or you can have freedom. Don't ever count on having
> both at once. - RAH
>