Cool tricks for password recovery

What universally is the No. 1 call to the help desk? Everywhere I've ever been it is password recovery. The architecture that you put in place to handle it will always have two opposite priorities that you will need to balance: to maintain the highest level of security possible and to make it convenient for both the user and the help desk.

In R4, Lotus introduced the Escrow Agent. This was a step in the right direction but it had one fatal flaw. It meant that ALL of your IDs and passwords were stored in the same place. So any admin who had access to the repository had easy access to everyone's IDs.

The next step for Lotus was the introduction of "Password Recovery," in which copies of each user's ID are sent to a central repository at registration without a password. They have special information encoded in them that allows them to be unlocked, but the passwords have to be changed one at a time -- at a pretty high level of inconvenience. Any administrators can unlock an ID they need, but they can't easily unlock ALL the I

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7 Lotus Notes Domino Password Management An introduction to ID Vault in Lotus Notes/Domino 8.5 How to manage passwords to secure Lotus Notes/Domino environments An introduction to Lotus Notes password options and essentials Secure Lotus Notes 8 with the Internet password lockout feature Lotus Notes Domino password management tips Cracked users' HTTP passwords still a threat on many Lotus Notes R6 and R7 domains Multiple new Sober variants spy on passwords Resetting a Lotus Notes password FAQ: Lotus Notes Domino password issues Hashing out stronger password authentication

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Ds. In addition, when implemented with password checking on the server, it is difficult for a help desk agent to get around the controls. (In a future tip, I'll document the architecture for setting up a secure ID distribution system for a level one help desk to use.)

Alas, the process for having the IDs sent to the repository is a bit finicky, and even small misconfigurations on the registration box will cause copies of the IDs not to be sent to the ID repository as defined in the certificate's recovery info. Here are a few valuable tricks that I have used to collect them.

Getting the user to accept recovery info after the fact:

If the users won't or can't accept the recovery, but you do have a copy of their IDs somewhere:

Do you have comments on this tip? Let us know.

Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.