Video Screencast Help

Password Self Help - enforcing password policies

Created: 03 Oct 2012 | 6 comments

Hello forum members.  I had a tricky question (or maybe not so tricky for your wizards of workflow).  I have an AD password self help portal that is near complete.  It is a modified version of the one on Workflow SWAT.  It allows the user to login and answer 3 challenge questions and then change their password.

The issue I have is that now our security team wants the user to abide by our password requirements in group policy, namely no repeats of the password from the last 4 selections and no changing the password any sooner than 10 days time after the first password change.  Currently a user could reset their password every day if so desired and use the same password infinately (not good).

What are your thoughts on how to get started on this restriction?

Comments 6 CommentsJump to latest comment

AnaMan's picture

To check user's password change history good solution is to build a structure and store it for last 4 changes and its dates for each user in database, local file or server persistent storage. For large number of users DB would be much faster. Of course passwords should be kept salted and hashed.

Jason Gallas's picture

I am pretty new to workflow.  Do you have any pointers on how to get started with this?

Kevin Shilling's picture

You could bypass the issue with a random password and force password change at next login

Jason Gallas's picture

This would not work for us as we have users that do not login as themselves (we have a service account) and only use their usernames for Office 365 email accounts.

Halley1's picture

Hi. Here are the highlights on how I would do it. This assumes you're using the ProcessManager database with your workflow (which you should).

1. Create an integration project and select the User Defined Type with DB Mapping generator.

2. Create a type called UserPasswordHistory with properties UserId, PasswordHash, DateTimeCreated. The wizard will ask you if you want to create components against your type. Do this.

3. Save and compile your new assembly and import it into your password check project. Note that when you import the library, the project will detect a type that has db mapping enabled, and ask you if you want it to handle this automatically. I would say no here as i prefer to use explicit components to interact with the database rather than depend on workflow magic.

4. At the start of your webforms project, you should have an ensemble login component that forces the user to authenticate. From the token that this generates you have access to the logged-in user's id

5. Before allowing the user to create a new password, use the components you just generated to lookup the user's password history and see if an entry was added in the last 10 days.

6. Each time a user changes their password, use the GeneratePasswordHash to encrypt the new password they enter. This component uses SHA-256 which is a very secure one-way hash algorithm. Create a new UserPasswordHistory object and populate it with the user's id, the hashed password and the current datetime. You can do this using a Single Value Mapping component. Then if the comparison check passes (see step 7) you can save the password history entry using the "CreateOrUpdate" component you just generated.

7. For comparing the new hashed password against recent entries, you can simply do a straight string comparison against the last 4 entries (by CreateDateTime). Note that this comparison is hash-to-hash, not comparing the password in the clear.

It would definitely be more secure to query the password history for a user directly on the AD. I'm not sure if that's possible. Maybe someone else knows. But barring that, the solution above should give you what you need.

Also, a note on the ORM (Create Type with DB Mapping) function in case this is new to you: What this does is take a type that you define and manage it as a table in the ProcessManager database. It sets up the table for you and keeps it aligned with the type in case you add or remove properties. This is a great way to store data externally from your workflow project.

Hope this helps.

jhallam3's picture

Hi,

I had the same issue, so rather than change the password confirm its them and then enforce the password change next logon.

Thanks

Jon Hallam

ManagedDesktop.com