[Freeipa-devel] [PATCH] confirm password

Pete Rowley prowley at redhat.com
Fri Sep 7 18:47:32 UTC 2007


Andrew C. Dingman wrote:
> On Fri, 2007-09-07 at 11:09 -0700, Pete Rowley wrote:
>   
>>> Except that it is useful when generating accounts (especially a large
>>> number) and then printing the account information to hand to the user.
>>> We had discussed being able to generate a pdf with the account
>>> information for this purpose.
>>>
>>>   
>>>       
>> Generating a unique password and then printing it out for easy 
>> compromise seems like something we definitely shouldn't be doing or 
>> encouraging. I believe current practice of setting the initial password 
>> tends to fall into two categories:
>>
>> 1) the end user is asked to type it in
>> 2) it is deterministic
>>     
>
> 3) Generate an already-expired password which the user must change at
> first login.
This is a good point, passwords for new accounts should be created in 
this state.
>  Print the thing out and put it in their inbox. Since the
> password has to be changed on first use, any compromise will be detected
> by the user, who WILL contact the helpdesk because they want access to
> their account.
>   
This is a reasonable compromise, but the difference between printing out 
the password and generating a deterministic one that is based on user 
data is quite small (apart from your point about regulatory bodies) - in 
both cases there is an increased chance for compromise.  The important 
issue is being able to detect the compromise in both of these cases.

In any case, I don't think we should try to solve this problem now - it 
is not clear that we would even be solving the right problem.


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070907/9566eb27/attachment.bin>


More information about the Freeipa-devel mailing list