August 14, 2006

New web sign–on change password screen

Writing about web page https://websignon.warwick.ac.uk/origin/changepassword.htm

I've recently been working on a new system to allow easy, secure and informative passwords changes on the web.

At the moment if you are a main Warwick user, you can change your main ITS account password (from our NDS directory) via the managed desktop or on the web via the my.insite portal. In an effort to improve the usability and availability of password management, we decided to create a new single page that sits within the web sign–on project that would allow any user, not just central Warwick users to change their passwords.

We have a model whereby users that login to web sign–on can come from a variety of sources:

  • Central NDS directory
  • Warwick Alumni service ran externally
  • WBS Alumni service
  • WBS NDS directory
  • External user database for Warwick related users

A user does not have to worry about which of these types of user they are, they just login and the system works out where they are from and authenticates them securely at that source. Each of these sources can now optionally incorporate a password change interface that we are plugging into.

In the first instance the page will only allow central NDS users to change their passwords, but over the coming weeks we will add in as many of the other sources as we can.

Changing a password is actually a pretty boring thing really, however, we've made it a bit more interesting by giving some nice visual feedback about the strength of your password so that you can judge how strong your password is and understand why we are not letting you have a password of "letmein".

Change password screenshot

This is done through a fair bit of javascript and a bunch of AJAX calls back to the server to work out if your password is strong enough. Once all of the criteria are met, the "Change password" button is activated and it allows you to change your password.

The required password strength is probably going to be something people are going to take a little while to get used to as it is fairly strict. From the University approved new password policy:

4.1 Choice of passwords
Passwords should:

  • Be at least 8 characters long.
  • Contain at least three of the following four types of character: letters in
    lower, letters in upper case, numbers, and symbols (e.g. £$%^&*).
  • Be changed every six months for a new password (more often for
    systems requiring greater security).

In the long run we hope that this will mean that the average password strength is going to go up and this will raise people's awareness of what makes a stronger password and why it is important.


- 6 comments by 1 or more people Not publicly viewable

[Skip to the latest comment]
  1. Does this mean that the sign on is going to become case sensitive then?

    14 Aug 2006, 09:53

  2. Passwords always were case sensitive, but generally usernames are not case sensitive, although it is probably always best to enter them as lower case.

    14 Aug 2006, 10:00

  3. Matthew Inglis

    My question is this: why does it matter to IT services if I have a ‘weak’ password? Presumably the only thing that can happen if someone guesses it would be to read my email and so on? Isn’t this my problem rather than yours?

    14 Aug 2006, 10:04

  4. That question is slightly out of my scope as I am just the person who implements these things rather than the policy person. However, someone can do more than just check your email if they have your password. They can logon to managed desktops, logon to websites and of course send email as if they were you. This could get you in a lot of trouble and also potentially cause damage to the University as well. We have a responsibility to ensure that the users who are logging in and accessing resources (your personal information, Athens resources, just the University and JANet networks for example) are who they say they are.

    A good way of doing this is to enforce stronger passwords and educate people about the issues around access management…amongst other things

    14 Aug 2006, 10:09

  5. Just checked by resigning in to blogs and the password works with both upper and lower case charachters.

    14 Aug 2006, 10:38

  6. Hi Helen,

    Thanks for that…and it appears that you’re right :) It does mean that passwords will eventually be case sensitive. Basically there are various places that your password is stored and used, the main one right now is indeed case insensitive, but the system we are moving towards will make passwords case sensitive eventually.

    14 Aug 2006, 10:52


Add a comment

You are not allowed to comment on this entry as it has restricted commenting permissions.

August 2006

Mo Tu We Th Fr Sa Su
Jul |  Today  | Sep
   1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31         

Tags

Search this blog

Most recent comments

  • One thing that was glossed over is that if you use Spring, there is a filter you can put in your XML… by Mathew Mannion on this entry
  • You are my hero. by Mathew Mannion on this entry
  • And may all your chickens come home to roost – in a nice fluffy organic, non–supermarket farmed kind… by Julie Moreton on this entry
  • Good luck I hope that you enjoy the new job! by on this entry
  • Good luck Kieran. :) by on this entry

Galleries

Not signed in
Sign in

Powered by BlogBuilder
© MMXIX