+ Post New Thread
Page 1 of 19 1234511 ... LastLast
Results 1 to 15 of 274
EduGeek Self Service Password Reset Thread, Self Service Password Reset in Projects:; Ok guys here's the first attempt at this I'm hopeing some of you may like to take it and improve ...
  1. #1

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,329
    Thank Post
    622
    Thanked 1,578 Times in 1,415 Posts
    Rep Power
    413

    Self Service Password Reset

    Ok guys here's the first attempt at this I'm hopeing some of you may like to take it and improve it and share the results.

    In the zip file are 2 folders and the database at the moment it is an access database but could easily be moved to a mysql I suppose.

    The register folder needs to be extracted to a web directory with integrated authentication and the reset one to a web folder with anonymous access.

    The database can be put anywhere and the asp files modified to reflect this.

    The user running the reset web page has to have correct access to be able to reset passwords and I'm not sure what these need to be as mine seems to work at the moment.

    The code is a bit messy but seems to work. The answers to questions 1 & 2 are md5 encoded in the database but the 3rd one is left as clear text as it could form the basis of a helpdesk check that a person is who they say they are.

    At the moment the password that theirs is changed too is hard coded but this could be easily changed to a form to allow them to pick their own.

    There is no styling on the forms and html at the moment again I'm hoping someone that's better than me at pretty html could help out.

    I'd also like to improve the questions so that they can't answer the same question 3 times which they can at the moment but that's for version 2 maybe.

    If anyone tries it and has problems let me know.

    Cheers,

    Ben
    Attached Files Attached Files

  2. 2 Thanks to plexer:

    RoyaMarie (5th November 2013), rvdmast (24th January 2008)

  3. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,329
    Thank Post
    622
    Thanked 1,578 Times in 1,415 Posts
    Rep Power
    413

    Re: Self Service Password Reset

    31 views and not comments from anyone?

    Ben

  4. #3

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,401
    Thank Post
    637
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    319

    Re: Self Service Password Reset

    It's only been downloaded twice

    I had a look at the code and the DB structure. It looks good, seems as though it will provide some good results... haven't had time to test the actual scripts yet though.

  5. #4

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,918
    Thank Post
    708
    Thanked 550 Times in 365 Posts
    Blog Entries
    3
    Rep Power
    204

    Re: Self Service Password Reset

    will have look at it end of this week

    russ

  6. #5

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,930
    Thank Post
    1,337
    Thanked 1,780 Times in 1,105 Posts
    Blog Entries
    19
    Rep Power
    594

    Re: Self Service Password Reset

    Passed onto my NM for a look.

  7. #6

    Join Date
    Feb 2006
    Location
    South Gloucestershire
    Posts
    23
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Self Service Password Reset

    Hi,

    I like the idea, although childrens inability to be original means that we may have to think carefully about the questions or they could become guessable.

    A cursory look at the code shows that you are passing the user name in the form and trusting that to be correct, where I can see some of our more able hackers spoofing the form data (I have one - thankfully on the side of the angels - who would do it just for the challenge)

    Given that you are trusting ASP to return the user and then submit that as a hidden field, could you not make that calculation in the register_user.asp so that it need not be passed?

    Also, it would be nice to have the student need to bring something physical to the equation. If you made the system generate one of the answers perhaps as a long random number you could have the confirmation screen display it as a bar code to be printed and used as an unlock ticket - your reset terminal would need a bar code reader but it would mean that physical theft would be involved to steal someones password which is a reasonable deterent.

    You could force a re-registration after every unlock to make the key one time only which would also enhance the security.

    I will try & install it on a machine somewhere that serves ASP and play with the functionality later so these are only initial thoughts.

    Keep up the good work

  8. #7

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,329
    Thank Post
    622
    Thanked 1,578 Times in 1,415 Posts
    Rep Power
    413

    Re: Self Service Password Reset

    Hi SG,

    All good ideas. Yes the form responses could be spoofed.

    I will look into maybe passing them as session variables or something instead and changing register_user.asp so it gets the username there instead.

    The physical ticket idea is good but if it was something that was printed then they could lose it. Maybe a confimation code that they have to write down.

    I suppose could use another field in the database to store if they had unlocked and then make them re register next time they logged in.

    Cheers,

    Ben

  9. #8
    fooby's Avatar
    Join Date
    Dec 2005
    Posts
    351
    Thank Post
    0
    Thanked 5 Times in 4 Posts
    Rep Power
    19

    Re: Self Service Password Reset

    Is there a way to load this at logon somehow? Because if they can't logon, how can they reset their password?

    Just a thought

  10. #9

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,401
    Thank Post
    637
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    319

    Re: Self Service Password Reset

    Quote Originally Posted by fooby
    Is there a way to load this at logon somehow? Because if they can't logon, how can they reset their password?

    Just a thought
    Create a locked-down passwordless account called "resetpassword" who's shell is a web browser that loads that page.

  11. #10

    Join Date
    Mar 2006
    Location
    Bradford
    Posts
    99
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Self Service Password Reset

    If they're on XP why can't they just right click on 'Change Password' button of the Ctrl-Alt-Del menu?

    Though I actually have that button disabled though GP.

  12. #11

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,401
    Thank Post
    637
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    319

    Re: Self Service Password Reset

    Quote Originally Posted by MrDylan
    If they're on XP why can't they just right click on 'Change Password' button of the Ctrl-Alt-Del menu?
    Because you can only get that button once you have logged in. And to log in you need your current password - hence this self-service password reset for if it has been compromised/forgotten ...

  13. #12

    Join Date
    Mar 2006
    Location
    Bradford
    Posts
    99
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Self Service Password Reset

    Quote Originally Posted by webman
    Quote Originally Posted by MrDylan
    If they're on XP why can't they just right click on 'Change Password' button of the Ctrl-Alt-Del menu?
    Because you can only get that button once you have logged in. And to log in you need your current password - hence this self-service password reset for if it has been compromised/forgotten ...
    ahh right, thanks.

  14. #13
    Irazmus's Avatar
    Join Date
    Feb 2006
    Location
    Suffolk
    Posts
    313
    Thank Post
    13
    Thanked 20 Times in 15 Posts
    Rep Power
    22

    Re: Self Service Password Reset

    Plexer,

    Very nice idea, although I have a feeling that unless we force the kids to register their answers to the questions, some will never bother, defeating the object somewhat.

    To force this, I've got a login script that calls register.html (asp removed to prevent form spoofing as pointed out by Shiny_Guru, username now retrieved in register_user.asp) in IE's kiosk mode.
    register_user.asp removes the user login script once the details are stored.
    This works fine if the user is an admin who has permissions to modify AD, but if it's a normal user it fails due to insufficient privileges.

    I'm new to asp so I'm pretty much winging this, but I think I need to stop impersonating the current authenticted user while running the AD code, for which I've found this code:
    Code:
    // Stop impersonation
    WindowsImpersonationContext ctx = WindowsIdentity.Impersonate(IntPtr.Zero);
    try 
    {
      // Thread is now running under the process identity.
      // Any resource access here uses the process identity.
    // Remove logon script from user
    Dim oUser
    Set oUser = GetObject("WinNT://domain.sch.uk/" & strusername & "")
    oUser.LoginScript =  ""
    oUser.SetInfo
    Set oUser = Nothing
    
    }
    finally 
    {
      // Resume impersonation
      ctx.Undo(); 
    }
    Trouble is, I keep getting an error:
    Code:
    Microsoft VBScript compilation  error '800a0401'
    
    Expected end of statement
    
    /register/register_user.asp, line 85
    
    WindowsImpersonationContext ctx = WindowsIdentity.Impersonate(IntPtr.Zero);
    --------------------------------------------------------------------------^
    Googling the error code suggested looking for missing & or , but as I'm not familiar with asp's syntax, i'm a little stuck as to how to fix it.

    Can anyone point out what's missing, or if I'm even on the right track?

    I've attached my modified (non-working) version incase that's of help.
    Attached Files Attached Files

  15. #14

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,329
    Thank Post
    622
    Thanked 1,578 Times in 1,415 Posts
    Rep Power
    413

    Re: Self Service Password Reset

    Irazmus: Excellent work there on the css etc... thats exactly what I was hoping someone would do to make it look pretty.

    Rather that using a logon script could we just set their homepage to an asp page that searches the db for their username, if it exists they have filled it in and they get redirected to google or wherever. If they don't exist they are then redirected to the sign up page?

    Ben

  16. #15
    Irazmus's Avatar
    Join Date
    Feb 2006
    Location
    Suffolk
    Posts
    313
    Thank Post
    13
    Thanked 20 Times in 15 Posts
    Rep Power
    22

    Re: Self Service Password Reset

    Glad you like the redesign

    Yes we could do it that way, infact I've just modified register.asp to check if the current username is in the database, and to skip the reg page and redirect to Google if it is
    I'd still like to find exactly what I was missing though, as I can see some situations where a logon script would be better

SHARE:
+ Post New Thread
Page 1 of 19 1234511 ... LastLast

Similar Threads

  1. Password Reset form for ICT staff
    By Rozzer in forum Windows
    Replies: 21
    Last Post: 30th January 2013, 10:01 AM
  2. apc powerchute buisness ed reset password
    By russdev in forum Windows
    Replies: 7
    Last Post: 8th November 2011, 12:35 PM
  3. bulk password reset
    By Jonny_sims in forum Windows
    Replies: 10
    Last Post: 26th September 2011, 10:12 PM
  4. Cisco Switch Password Reset
    By FN-GM in forum Wireless Networks
    Replies: 6
    Last Post: 10th October 2007, 09:15 AM
  5. Need to reset a local account's password
    By timbo343 in forum Scripts
    Replies: 1
    Last Post: 21st September 2007, 01:16 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •