News Stay informed about the latest enterprise technology news and product updates.

Assigning initial passwords

It started with an innocent enough SearchDomino.com poll question: "How do you assign initial passwords to Notes IDs and Domino Web accounts?" When it was all said and done, however, resident security expert Chuck Connell ended up floored -- literally. Read Chuck's explanation of his reaction to the recent member poll results.

When I saw the results of the latest SearchDomino.com readers' poll, I fell out of my chair. On the way to the floor I knocked over my Jolt cola and spilled a whole day's supply of Doritos. Picking myself up, my BlackBerry caught on my pocket protector and fell into the puddle of soda.

And what poll result evoked this response? It was the recent poll that asked, "How do you assign initial passwords to Notes IDs and Domino Web accounts?" The answers from a reasonable sample of 125 respondents were the following:

  1. Common password for all IDs, and instruct users to leave as is: 4%
  2. Common password for all IDs, and instruct users to change it: 43%
  3. Unique simple password (such as jsmith or bjones): 19%
  4. Unique complex password (such as Blue*jacKet or rtv4$ner): 24%
  5. Other: 8%

This means that 66% of responders (the sum of the first three choices) use password assignments that are woefully inadequate -- hence the chair incident.

The problem with Choice #1 is obvious; everyone in the organization will have the same password and everyone will know everyone else's password. In effect, the whole user account process is empty with this style of password management. From a security standpoint, there is little difference between this practice and creating just one account named "User" and giving it to everyone.

Choice #2 is slightly better, in that users are asked to change the initial password they are given. This practice still has two major problems, however. It is well known that many users do not change their initial passwords, even when asked to. So a good percentage of users in these organizations will have the same password and everyone will know what it is. Also, all the original copies of the Notes ID files will continue to have the initial password, even for users who do change it right away.

In a typical scenario, system administrators keep the original copies of Notes ID files and give another copy to each new user. The changed password only applies to the user's copy. Therefore, anyone who gains access to the administrators' set of ID files will know the password for all of them. Of course, if administrators do not keep an original copy at all and instead rely on password recovery, then this second problem is mitigated. But we all know that administrators often retain an original copy of all IDs. And, to be fair, server-side password checking also mitigates this problem, but not all organizations use it.

Choice #3 also leads to an insecure system because all the initial passwords are easy to guess. If my initial password was "chuckc," I will have a very good chance of breaking into someone else's Webmail account by just trying the similar password associated with other usernames. I will successfully break into the account of anyone who did not change his or her initial password.

Choice #4 is the only secure way to assign initial passwords for Notes IDs and Domino Web accounts. (Or any other computer system.) If a user never changes the initial password, that is OK, since the password is unique and high-quality. Most likely, users will change these passwords, however, since they are often too hard to type and remember. Difficult passwords have the nice feature that users want to change them. One of the problems I mentioned above is not completely solved, since administrators can still keep a copy of each ID file and its initial password. But this is much harder to do when each password is unique. The administrator will have to keep a written list of all username/password pairs, which is less likely than the administrator remembering one password for all accounts.

The moral of this tip: Please practice good password assignment. For the sake of my next can of Jolt, there is a password tool on my download page that makes the task very easy. The tool works in two modes: one-shot passwords and writing a set of passwords to a file. You can control how many passwords are generated and how long each one is.

 


Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes. CHC-3 allows companies to outsource their Domino administration needs via DominoAdministration.com and runs the popular security site DominoSecurity.org.

Dig Deeper on Domino Resources - Part 2

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Chuck, I'm laughing near you...not at you. Just had the same experience. A group for which I volunteer just had their blog created and the whole team of officers were provided usernames and passwords. Guess the password. Yes. Who's on first? Password. Yes, that's right. We all got 'password' as our password and were instructed, but not required to change it. Fun stuff this technology!
Cancel
I have been in other organizations who do such bone-headed assignments of passwords; however, as the Net Admin where I work, I use approach #4. Though I have a standard algorithm for creating initial/default passwords for users, it is known only to me and would not be easily guessed.
Cancel

-ADS BY GOOGLE

SearchWindowsServer

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchDataCenter

SearchExchange

SearchContentManagement

Close