Re: Change Password on Next Login via Web

[Oscar Knight <knightod () APPSTATE EDU>]

On 4/26/2011 9:19 PM, Matt Giannetto wrote:
> Folks,
>
> We’re trying to improve our registration process via the web and are
> running into a roadblock.  I’m hoping I can poll the group and find
> out how other schools are tackling this problem.
> ...
> We’re also looking for  something that can help facilitate password
> expiration, such as emailing the user, "Your password will change in
> X number of days, please click here to change it".  If it makes a
> difference, we also use Forefront Identity Management.

I don't think you want to send a link to your password management
system in an email.  You will be training your users to fall prey
to phishing attempts.  You will want your web based password
management system to be well known and easily accessible from your
default web pages.  Train your users on how to access this facility
up front.  You can still send an email and you can tell them they
need to visit the password management page, just don't put in a
link.

The following is just an idea.  I welcome comments from others
regarding it's sanity.  With respect to your web based password
management system, you could run a separate auth system.  It could
be anything, even ldap.  You would keep this system in sync with
your AD.  The password management system would auth against this
service.  This is not simple and there are lots of potential
problem areas.  But it does add flexibility with respect to
maintaining different states for users.  I believe you get the
most benefit from something like this when you have multiple other
auth systems which also need syncing.

Hope this helps,
odk
--
NOTE: ASU ITS will NEVER ask you for your password in an email!
Oscar D. Knight                           knightod at appstate dot edu
ITS                                                Voice: 828-262-6946
Appalachian State University, Boone, NC 28608        FAX: 828-262-2236