Will you please just change that password!

There has been some discussion about the initial passwords given to accounts in the enterprise. Too hard and it is written under the keyboard, to easy and everybody knows, and then there are the usual suspects.

  • 111
  • 123456
  • 12345678

And if you use the same password to start and reset accounts can  you make the user change it or will that come back to punish you. The solution I outline below is for organizations that don’t or can’t install a web based password reset system. Many web based services already have a self service system in place.

 

To try and combat the simple password being used at the start and left as the password for evermore I would offer this as a possible solution.

The problem:

We need to assign a password to user accounts when they are created. We need that password to be easy to get to the user. We need the user to change the password to a sufficiently complex password to discourage brute force attacks password attacks and secure our data.

In discussing the issues around initial passwords some problems have been found.

Using a standard password when creating an account and then requesting the patron change the password has mixed results. Some never change the password. When using a formula or simply an initial password means that anyone ever hired may have access to the account of others.

One method to combat this could be.

  • Generate a list of eight character random password for the initial account or forgotten password use.
  • Define a period of use, one month as an example.
  • Assign a different password for each month.
  • Only use the password assigned for that month when creating or resetting passwords.
  • Do not reuse last year’s passwords, generate a new set each year.

 

This method should cause the user to change their password rather than try to remember the random one. It should also minimize the possibility of account theft by changing the initializing password each month.

This combined with a minimum password length and composition. Capitals, numbers and eight characters may make your process more secure or at least less leaky.

 

Posted in commentary | Tagged , | Leave a comment

Chromebook Recovery

I thought I would make a recovery USB drive for my Samsung Chromebook II. First I tried at work, using the student wireless network. That was a flop, I tried three items to download the recovery image but it failed. The sanctioned instructions are here, https://support.google.com/chromebook/answer/1080595. I tried again at home and had the image in 10 minutes, installed to the USB drive shortly thereafter. It could also have been a microsd card, its just that I had a spare USB drive.

I have to tell you though I tried to follow the instructions and use another computer and it did not work. Seemed that I could not get the correct install image just from the model number. So the recovery plan became that I install the recovery tool and make the drive there. So I did, it chose the correct image to put on the drive at the time of making and made the recovery drive.

After that I thought well, now you made it but does it work! So, I looked up the key sequence for my Chromebook. That would be, from a not on state, hold the escape and the reload key while pressing the power key. I plugged it in and off it went. It began booting from the drive and begin a verification of the image. Now, you would think there would be a pause to let you choose to recover or stop. No, it went straight to recover and once started you may not stop!

Twenty minutes later I was rebooting the Chromebooks and signing in to my account again. A little code from the Google authentication app on my iPhone and enter your sync password and all your settings are restored. You may have an update happen right away if the image is not the current patch, as mine was not. but then your are just a reboot from getting back to work or, in my case writing a post.

Posted in commentary | Leave a comment