Cool tricks for password recovery

What universally is the No. 1 call to the help desk? Everywhere I've ever been it is password recovery. The architecture that you put in place to handle it will always have two opposite priorities that you will need to balance: to maintain the highest level of security possible and to make it convenient for both the user and the help desk.

In R4, Lotus introduced the Escrow Agent. This was a step in the right direction but it had one fatal flaw. It meant that ALL of your IDs and passwords were stored in the same place. So any admin who had access to the repository had easy access to everyone's IDs.

The next step for Lotus was the introduction of "Password Recovery," in which copies of each user's ID are sent to a central repository at registration without a password. They have special information encoded in them that allows them to be unlocked, but the passwords have to be changed one at a time -- at a pretty high level of inconvenience. Any administrators can unlock an ID they need, but they can't easily unlock ALL the IDs. In addition, when implemented with password checking on the server, it is difficult for a help desk agent to get around the controls. (In a future tip, I'll document the architecture for setting up a secure ID distribution system for a level one help desk to use.)

Alas, the process for having the IDs sent to the repository is a bit finicky, and even small misconfigurations on the registration box will cause copies of the IDs not to be sent to the ID repository as defined in the certificate's recovery info. Here are a few valuable tricks that I have used to collect them.

Getting the user to accept recovery info after the fact:

1. On a regular basis, I generate a fresh set of recovery extract files from my certificates (*.idb). This is done by selecting "Edit Recovery Information" and selecting "Export" from the dialog. I have all of these extracts sent to myself.
2. Then, I run an agent that reconciles my names.nsf against my repository of ID files to establish whose IDs I need to collect.
3. I can then send copies of the *.idb files to the users whose IDs I am missing with instructions for selecting "Actions-Accept Recovery Info" from the menu with the memo open. In ND6, all they need to do is put in their passwords, and the IDs will be sent back to the repository. In R5, it's pretty simple too; there are just a few more steps, but they're easy.
4. You can actually set up a scheduled agent that keeps sending them these extract files until their IDs appear in the recovery database.

If the users won't or can't accept the recovery, but you do have a copy of their IDs somewhere:

1. I had a situation where I had a set of about 300 IDs that I had the files for, but weren't in the recovery database. Unfortunately, I didn't know if the IDs themselves had recovery information in them. I certainly couldn't go through each one by hand, so I needed an automated way. What I discovered is that if you look at the ID file as a text file, the names of the recovery agents are in there in CLEAR TEXT! (Of course they are. The reason you need them is because you don't know the password, which is the thing that scrambles up the ID in the first place) I just wrote a quick agent that goes through a bunch of IDs and tells me which have recovery and which don't. See script below.

Sub Initialize
 Dim idcontents As String
 Dim outputdirectory As Variant
 Dim idstoprocess As Variant
 Dim uiw As NotesUIWorkspace
 Dim RecoveryAgent As String
 On Error Resume Next
 Set uiw = New NotesUIWorkspace 
 outputdirectory = uiw.SaveFileDialog
(True, "Output File Directory")
 idstoprocess = uiw.OpenFileDialog
(True, "Select ID's to 
process", "*.id", "", "")
 RecoveryAgent = Inputbox("What is 
the name of the recovery agent") 
 Open outputdirectory(0) & "\" & 
"haverecovery.txt" For Append As #2
 Open outputdirectory(0) & "\" &
 "missingrecovery.txt" For Append As #3
 Forall ids In idstoprocess
  Open ids For Input As #1
  Do Until Eof(1)
   Input #1, idcontents
   If Instr(idcontents, RecoveryAgent) Then
    Print #2, ids
   End If
   idcontents = ""  
  Loop
  Close #1
 End Forall
 Close #2
 Close #3
End Sub

Do you have comments on this tip? Let us know.

Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7 Lotus Notes Domino Password Management An introduction to ID Vault in Lotus Notes/Domino 8.5 How to manage passwords to secure Lotus Notes/Domino environments An introduction to Lotus Notes password options and essentials Secure Lotus Notes 8 with the Internet password lockout feature Lotus Notes Domino password management tips Cracked users' HTTP passwords still a threat on many Lotus Notes R6 and R7 domains Multiple new Sober variants spy on passwords Resetting a Lotus Notes password FAQ: Lotus Notes Domino password issues Hashing out stronger password authentication RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.