bapple Absent Member.
Absent Member.
1130 views

Case Sensitive Password Policy Migration

I am working on rolling out a password policy that enforces case sensitivity on a subset of our users on 8.8SP7. Everything seems to be working, but I wanted to verify a quirk and get some information on mitigating customer risk.

Based on this KB article, https://www.netiq.com/documentation/edir88/pwm_administration88/data/brvwh0a.html#brvxgqy, the first matching password entered after the policy is in place will be the password case used from that point on. Is this because EDirectory does not store the original case on password set if the policy is not in place? Is there any way to recover the original case?

I would like to prevent any issues of a user accidently entering the wrong case after the policy is in place and needing to reset due to their orignal password no longer working. Is this a valid concern?
Labels (1)
0 Likes
2 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Case Sensitive Password Policy Migration

On 04/20/2017 01:54 PM, bapple wrote:
>
> I am working on rolling out a password policy that enforces case
> sensitivity on a subset of our users on 8.8SP7. Everything seems to be
> working, but I wanted to verify a quirk and get some information on
> mitigating customer risk.
>
> Based on this KB article,
> https://www.netiq.com/documentation/edir88/pwm_administration88/data/brvwh0a.html#brvxgqy,
> the first matching password entered after the policy is in place will be
> the password case used from that point on. Is this because EDirectory
> does not store the original case on password set if the policy is not in
> place? Is there any way to recover the original case?


Keep in mind this only applies if a user is having NMAS "magically" set
their Universal Password during a login. You may understand this, but
it's worth noting in case you think it applies to every first login after
every password change ever, as that is not the case.

> I would like to prevent any issues of a user accidently entering the
> wrong case after the policy is in place and needing to reset due to
> their orignal password no longer working. Is this a valid concern?


Tell them not to mess it up; that'll work. 😉

The reason this happens this way is that the NDS Password is
case-insensitive, so when they login there is no guarantee they did that
properly, but if they entered the right case-insensitive characters, and
if they have no Universal Password (UP) set already, then NMAS will assume
they did it correctly (right characters, case-insensitively, after all)
and then set the UP to exactly what they passed in, even if that means the
caps-lock version of their password.

Having done this for a long time, I"v never heard of big problems here,
and if it did happen, it would probably just be caps lock at fault. You
could in theory setup a webpage or something for their first UP login and
then let them see exactly what they are about to use to set the password,
but that's a bit silly since you'd need to make sure they go to that
website for their login, which is another training ("Just do it right!")
issue.

You could setup IDM to see a password change and e-mail it to the user.
I'm not saying you should do this; you definitely should not as it's a
terrible thing to do security-wise, but it would let you show them exactly
what they really set during their login and implied password-set event.

You could have them login once, send them an e-mail saying their password
is now magically better, and in that e-mail tell them their new password
should be exactly what they entered at the time of the login; this means
they get timely information, and may be able to look down and see the caps
lock button still pressed, or maybe remember turning that off in the past
minute or so. No need show them their new password; they can probably
figure things out.

You can, potentially, turn off case-sensitivity with UPs, but you
shouldn't, as it just drags out the problem. Eventually people need to
learn that 'A' and 'a' are different; better now than later.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
bapple Absent Member.
Absent Member.

Re: Case Sensitive Password Policy Migration

Thanks for the reply Ab!

Communication does seem like the best solution here, definitely don't want to keep the problem going.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.