Lost User Account Passwords

[Scot L. Harris]

On Wed, 2005-02-02 at 13:26, Goose Gosswiller wrote:
> Tim Alberts <talberts <at> msiscales.com> writes:

> IMHO it's never a good idea to dual post passwords. The passwd/shadow scenario
> is a single pass one way encryption -- don't know of anyone that's cracked one
> yet!!!
> In my world if someone forgets the password, root resets and the user runs the
> passwd command. New password!!!! Period!!!!
> If you don't want root to have to intervene you may try to run a "sudo passwd 
> one time only script" that allows the user to reset their own password, but it
> should be done with the option to "change on first log in" and when the script
> is finished the user is not left in root.......
> Just my two pennies.....
> cheers
> goose


While the password encryption scheme used on Linux and most unix system
is one way they are susceptible to dictionary attacks.  I think it was a
package called COPS that I used once on a VAX 11/780 system running a
BSD type OS many years ago.  I fed it a copy of the shadow file and it
spit out about 70% of the users passwords on the system.  (I had
permission from my boss to run the tool to check security.)  Users pick
horrible passwords most of the time.

For the OP's problem, he should setup a process that lets users request
their passwords be reset.  A new password is generated and sent to
them.  If possible mark the account such that the password MUST be reset
on first login.  Or at least send out a sufficiently long random
password that the users will choose to change them at the first
opportunity available.  

Mind you the danger here is that you are sending passwords via email
which for 99% of the users out there is NOT encrypted.  I would
recommend you not use the word password in the message to reduce the
chance that someone could scan for such emails.


-- 
Scot L. Harris
webid at cfl.rr.com

Blessed are they that have nothing to say, and who cannot be persuaded
to say it.
		-- James Russell Lowell