I would like to update the oracle DEFAULT profile to use a new PASSWORD_VERIFY_FUNCTION.
If I change this, what happens to users that are already using this DEFAULT profile? Will they need to reset there password, or will they go unchanged?
I have no means to test this at the moment.
Thanks.
The password related parameters of a profile are only checked at the time a password is changed or created. So changing any of them will have no immediate effect. The next time a password is changed, the profile will be checked, and the specified password verify function will be invoked at that time.
And FWIW, same thing applies to password expiration. If password expiration is specified, when a password is created/changed, the user's password expiry date is set per the profile. Changing the expiration rule in the profile has no effect on existing password expiry date. They will expire based on the rule in effect at the time the password is changed, then the next time they are changed, the new expirey will be set based on the profile rule at that time.
Related
I am working on the windows credential provider
We start our project based on this https://github.com/DavidWeiss2/windows-Credential-Provider-library
We want to make this authentication passwordless. Therefore we have a "database" in forms of external file that keep the password, username and domain pairs. Due to security reason we hashed it. (eg: C:\Temp\MyCredsDatabase.dat)
If the user change the password from window's Built-in GUI System -> Account -> Sign-in Option -> Change Password, the next login will be failed simply because the user already update their password but our database still using the old password
Well, if I decrypt the password directly from the Microsoft's SAM database it will be whether illegal or hard because Windows keep updating their security package to secure this database.
Is there any possibility that whenever user update the password, we get the password value, and update our "database"?
Or should I save our local database's content with another format?
Like, instead of using the user's information in a plain text for login using our Custom Credential Provider, can I use part of the SAM's value to login?
Your credential provider should implement the CPUS_CHANGE_PASSWORD scenario which is triggered in the change password GUI workflow.
At that point, in ICredentialProviderCredential::GetSerialization, you should have the raw non encrypted password value.
Then in ICredentialProviderCredential::ReportResult, if NTSTATUS == STATUS_SUCCESS you could do whatever you want, including updating your database.
I am working on a Laravel project. I need to be able to create a user, mark that user with a number for their 'plan_id', and then invite them to log in and change their password. Currently, I am creating a user, adding the 'plan_id', and setting the password to a generic term like 'password'. I don't have info like their SSN or DOB that I could set it to initially.
While this does work, I don't know that it follows best practices. The only other thing I can think of is setting up another table that matches up the user's email address to the 'plan_id'. I don't want to do this because it makes it possible that the user accidentally signs up with another email and can't figure out why their portal is not working.
It doesn't sound like a great idea to set all new passwords to "password". It looks like your application is creating users, then letting each user know they have an account, as opposed to the user initiating this process. This would mean that you can't have the user pick a password.
Consider not creating a password at all, but sending an email to each new user containing a link to your system with a unique key that you store in the database user record. The user could then access the system, and it would ask them to pick an email and password to be registered with. You could have the keys expire after a number of days.
The easiest way to do this would be to generate a completely random password for the user and then email them a password reset link. The potential pitfall of this is that password reset links expire, by default after 1 hour though you can change it in config/auth.php.
No more works password for admin. In archiva.xml admin is in default users.
And not propose on start page to set admin password.
Already tried deleted users dir. Problems persists.
Any ideas please?
From my personal experience, I've had success by resetting the Admin password 6 times (the default amount of previous passwords stored by Archiva) to retain the same password. Make sure that the admin's email address is set to an email address belonging to an account that you can access.
You could reset your password 1 time of course, but that might entail you having to change your password in multiple places, such as your Maven settings.xml, Jenkins, etc.
I have a PowerShell script which does the following on Windows 7 computers:
Get a random password from a secure server-side application
reset the password of a specific local user account using this password value
As a next step, I want to periodically check if the password saved on the server is still valid. For now, I am using ValidateCredentials from System.DirectoryServices.AccountManagement.PrincipalContext (see Powershell To Check Local Admin Credentials) but it involves to unencrypt the password and send it back to the computer just for this purpose.
Do you see any better way to check if password is still valid avoiding to use clear text password ? Is it possible to compare some hash, or anything else ?
Regards.
You can check the attribute PasswordAge and do a little math to see if the last time the password was changed was the time you set the password.
I'm very new to ion-auth so apologies in advance if this is a dumb question.
I have a feature request from a user (an admin) where they would like to be able to switch into another user's account to see the app from their point of view. The use-case here is that the admin would find the user in question's account in our user admin page in the app, then click a button to effectively 'become' that user.
Any ideas how this would be achieved?
Many thanks
Pete
#Pete,
What you're asking for is what is sometimes called "hijacking" the account.
There isn't currently a feature for that, but essentially what you need to do is:
1) destroy the current session
2) rebuild the session as the user you want to highjack
3) make sure the logged_in session variable is also set.
Passwords are all hashed, but I think it would be pretty straightforward to write a login function for yourself that doesn't go through the password hashing as part of the login steps.
In other words,
1) log out
2) look up the user id's username & password
3) login directly with that password, not a hashed version
Of course, you'll want to be very careful about your security
You need to alter the users_groups table adding a "status" field, in order to set true/false the current user_group.
Then, upgrade the model with a function that makes the following:
Get the current group and sets his status to false.
Get the new group and set his state to true.
Redirect to home page of selected group.
With this change, you can regenerate all the user`s data session and navigate as the selected user.