SPAM AND SECURITY
Back Door To Password Recovery
Mike Andrews
08.01.2000
Rating: -3.75- (out of 5)
As I see it, the only way for an Admin to restore a forgotten password using
the R5 Password Recovery feature is to open the recovery mail-in database,
detach the encrypted ID, extract the recovery password(s) and get the ID onto
the client's system. For various reasons, it is often difficult to get an ID
onto the client's system without physically walking a floppy disk to the
client's office. I believe the documentation suggests "sending the ID to the
client". If the client forgot his password, he cannot access his mail file, so
this must mean sending a copy to a neighbor, which is in itself a huge security
risk.
In the interest of saving Admin time (and getting a Dog Pound golf shirt), here
is a back door to password recovery:
1. The Admin detaches the encrypted ID from the mail-in database and extracts
the recovery password as always (detach to local drive-use
administrator-configuration tab-tools-certification-extract recovery
password). Admin writes down the password and phones the client.
2. The client launches Notes and Notes asks for his password (which he has
forgotten).
3. From the "Enter Password" window the client presses ESC twice which takes
him to the "Choose User ID to Switch to" window.
4. The client double-clicks his ID, which takes him back to Step 2.
5. This time, he presses ESC once from "Enter Password" window, which takes him
to the "Choose User ID to Switch to" window.
6. The client double-clicks his ID, which now takes him to the "Enter Passwords
for admin recovery passwords" window.
7. The client enters the recovery password(s) that the Admin dictates over the
phone.
8. The client enters and confirms a new password and has recovered use of his
ID without a visit from Admin or his neighbor.
It sounds quite complicated but is really quite easy and does save a ton of
time for Admins!
|
|
|
|
|
|
