4.3 Managing Forgotten Passwords

The following sections describe how to manage forgotten passwords by using iManager.

For information on managing forgotten passwords by using the Identity Manager User Application, see Section 5.3, “Password Management Configuration” in the Identity Manager 3.5.1 User Application Administration Guide.

4.3.1 Enabling Forgotten Password

To enable users to recover from a forgotten password without contacting the help desk, enable the Forgotten Password feature. As the following figure illustrates, you encounter this option while using the Password Policy Wizard to create a password policy. For more information on the Password Policy Wizard, see To create a challenge set while using the Password Policy Wizard:

Figure 4-1 Enable Forgotten Password

You can also enable Forgotten Password on an existing password policy:

  1. In iManager, click Passwords > Password Policies.

  2. Click the name of the policy.

  3. Click the Forgotten Password tab.

  4. Select Enable Forgotten Password, select or create a challenge set, specify an action, select the Authentication option, then click OK.

4.3.2 Creating or Editing Challenge Sets

A challenge set is a set of questions that a user answers to prove his or her identity, instead of using a password. The challenge set is assigned to a password policy and is used as part of a password policy's method of authentication. Users’ answers to these challenge questions are case insensitive.

You can use challenge sets as part of providing Forgotten Password self-service for users. Requiring a user to answer challenge questions before receiving forgotten password help provides an additional level of security.

When you create a password policy, you can enable Forgotten Password self-service so that users can get help without calling the help desk. To make self-service more secure, you can create a challenge set and specify that users must answer the challenge set questions before obtaining forgotten password help. You also specify what action takes place to help users after they answer the questions, such as displaying a password hint to the user. These self-service features are available to users through Novell iManager. Your choices are explained in Section 4.3.3, Selecting a Forgotten Password Action.

To create a challenge set:

  1. In iManager, click Passwords > Challenge Sets.

  2. Click New.

  3. Type a name in the Challenge set name field, select a container for the challenge set to be created in, then select or create challenge questions.

    To select a default question in the challenge set, select its check box.

    To edit a question or the number of characters (minimum or maximum) allowed for responses, click the question.

    To create a question and add it to the challenge set, click Add Question.

    User Defined: If you select this option, users can create their own challenge question.

    Novell Modular Authentication Services (NMAS™) stores a user's user-defined questions and responses in Novell eDirectory™.

    Required Questions: Questions in this list always appear when a user uses Password Self-Service.

    Random Questions: Questions in this list appear only once as a complete set, when the user sets up Forgotten Password by answering the challenge set questions for the first time. When the user later needs to use Forgotten Password, only a few of the questions are presented for the user to answer. The number of random questions that appear depends on the number that you specify.

  4. Click OK.

To create a challenge set while using the Password Policy Wizard:

  1. In iManager, launch the Wizard by clicking Passwords > Password Polices > New.

  2. In Step 4, click Yes to enable Forgotten Password.

  3. In Step 5, select Require a Challenge Set and then click New challenge set.

    To use an existing challenge set, browse for and select it.

  4. Specify the container you want the challenge set created in. Type a name in the Challenge Set Name field, then click Next.

  5. Select or create required or random challenge questions.

    If you don't want to create new questions, select existing ones.

    To enable users to add their own questions, select User Defined.

    To create a new question:

    1. Click Add Question.

    2. Select Administrator Defines the Question, click Add, specify a language from the drop-down menu, type the question, then click OK.

    3. Select whether the question is required or random.

    4. Specify minimum and maximum characters required, then click OK

  6. Specify the number of random question, then click Next.

  7. Complete the remaining steps in the Password Policy Wizard.

To create a challenge set for an existing password policy:

  1. In iManager, click Passwords > Password Policies.

  2. Click the name of a policy.

  3. Click the Forgotten Password tab.

  4. Select Enable Forgotten Password > Require a Challenge Set.

  5. Browse for and select an existing challenge set or create a new one and then select the new one.

    To create a new one:

    1. Click the Challenge Sets link.

    2. In the Challenge Sets dialog box, click New.

    3. In the Challenge Sets dialog box, name the challenge set, specify a container to create the challenge set in, select or add required or random questions, then specify the number of random questions to ask.

    4. Click OK.

4.3.3 Selecting a Forgotten Password Action

  1. In iManager, click Passwords > Password Policies.

  2. Click the name of the policy.

  3. Click the Forgotten Password tab.

  4. Select the Enable Forgotten Password checkbox.

  5. Select an action.

    • Allow User to Reset Password: After answering the challenge set questions to prove his or her identity, the user is allowed to change to a new password. Because the user has authenticated through answering the challenge questions, the user is allowed to change the password without being required to provide the old password. To use this option, you must require a challenge set, and the user must have previously set up Forgotten Password in the iManager portal by answering the challenge set questions.

    • E-mail Current Password to User: After answering the challenge set questions to prove his or her identity, the user receives the current password in an e-mail. To use this option, you must do the following:

      Also, the user must have previously set up Forgotten Password in iManager by answering the challenge set questions.

    • E-mail Hint to User: The user receives the password hint in an e-mail. To use this option, you must set up e-mail notification as described in Section 4.6, Configuring E-Mail Notification for Password Self-Service.

      Also, the user must have previously set up Forgotten Password in iManager by providing a password hint.

    • Show Hint on Page: The user is shown the password hint in the iManager portal. To use this option, the user must have previously set up Forgotten Password in iManager by providing a password hint.

Password Hints

If you specify a Forgotten Password action that requires password hint, the user can enter a hint that is a reminder of the password.

Password Hint

The Password Hint attribute (nsimHint) is publicly readable, to allow unauthenticated users who have forgotten a password to access their own hints. Password hints can significantly reduce help desk calls.

For security, password hints are checked to make sure they do not contain the user's actual password. However, a user could still create a password hint that gives too much information about the password.

To increase security when using password hints:

  • Allow access to the nsimHint attribute only on the LDAP server used for Password Self-Service.

  • Remind users to create password hints that only they would understand. The Password Change Message in the password policy is one way to do that. See Section 4.5, Adding a Password Change Message.

Secure Hint

The Secure Hint attribute (nsimPasswordReminder) is more secure because it is not publicly readable. It requires the user to answer challenge questions before the hint is displayed.

The challenge/response requirement is set in the Forgotten Password section of the Password Policy properties.

If you choose not to use a password hint, make sure you don't use it in any of the password policies. To prevent password hints from being set, you can go a step further and remove the Hint Setup gadget completely, as described in Section 4.3.4, Disabling Password Hint by Removing the Hint Gadget.

4.3.4 Disabling Password Hint by Removing the Hint Gadget

Password Hint is one method of helping users remember a password as part of Forgotten Password Self-Service. In the password policy, the Forgotten Password actions that use Password Hint are named E-mail Hint to User and Show Hint on Page.

For Password Hint to be useful to a user who has forgotten a password, unauthenticated users must have public access to the Password Hint attribute (nsimHint). Although Password Self-Service checks the password hint to make sure that the user has not included the actual password within the hint, you might still consider this public access to be a security issue.

If you don't want to use password hints, choose a different option for the Forgotten Password action in the password policy.

If you prefer to, you can remove the Hint Setup gadget completely. After installing the Identity Manager plug-ins for iManager, use the Configure view to remove the Hint Setup gadget by doing the following:

  1. In iManager, click the Configure icon iManager Configuration icon.

  2. Click Portal Platform Configuration > Gadgets.

  3. From the list of gadgets, select Hint Setup.

  4. Click Delete.

After you delete the gadget, Hint Setup is no longer available to the user. The post-authentication services query for the existing gadgets before adding them to the delegation list. Regardless of what the policy states for post-authentication services, if the gadget does not exist, the service is not presented to the user by the post-authentication services or in the iManager portal.

After you delete the Hint gadget, make sure you don't select E-mail Hint or Display Hint as the forgotten password action in the password policy.

4.3.5 Configuring Forgotten Password Self-Service

Clicking the Forgot your password? link when logging in to the portal (such as https://www.servername.com/nps) does not work for the user unless the following conditions are met:

  • The administrator has set up a password policy with Forgotten Password enabled.

  • The user has set up challenge questions or a password hint, if either of them is specified in the Forgotten Password setting.

Prompting Users to Set Up Forgotten Password

For some Forgotten Password actions, the user must do some setup before using the Forgotten Password self-service. For example, if the password policy specifies that a challenge set is used to allow a user to prove identity, and if the forgotten password action is to e-mail a password hint to the user, the user must first answer challenge-set questions and create a password hint before being able to use Forgotten Password Self-Service.

Users can initiate setting up these features in the portal, or you can require that users set them up by using post-authentication services (pages displayed when users log in to the portal).

To prompt users to set up these features at login time, select the Force users to configure Challenge Questions and/or Hint upon authentication option in the Password Policies interface at the bottom of the Forgotten Password page. This is selected by default when you create a policy.

Figure 4-2 Password Policy

To let users set up Forgotten Password at a time of their choice, you need to give them the URL for the portal, such as https://www.my_iManager_server.com/nps.

User Setup for Forgotten Password

There are two ways the user's part of the configuration can be accomplished:

Post-Authentication

The administrator can require the user to set up Forgotten Password features after a successful login by selecting the Forgotten Password option to force the user to configure challenge questions or a hint upon authentication. If this option is selected but a user does not have questions or a hint set up, Forgotten Password configuration gadgets are displayed to the user the next time he or she logs in through the portal (such as https://www.servername.com/nps). This is called post-authentication setup.

In the Portal

When users log in through the iManager portal, iManager gives them access to the gadgets for setting up or changing challenge sets and password hints for Forgotten Password Self-Service. This is the same place where users can initiate a password change. They can access the following gadgets here:

  • Hint Setup

  • Answer Challenge Questions

  • Change Password (Universal)

The user can initiate changing these at any time. But if a hint or challenge set is not required for the user's password policy, the user cannot set them up; the page displays a message indicating that the options are not accessible.

To see specific examples of how these user options look in each application (iManager 2.02 portal, User Application portlet, Novell Client, and Virtual Office), refer to the documentation for each application as outlined in Section 4.1, Overview of Password Self-Service.

Requiring Existing Passwords to Comply

If you create or change a password policy, you can require users to change existing passwords that don't comply the next time they log in through the portal.

To do this, set an option in the password policy by using the Universal Password tab under Configuration Options. The option is called Verify whether existing passwords comply with the password policy (verification occurs on login). By default, this option is turned off when you create a new password policy. The following figure illustrates the page where you set this option:

Figure 4-3 Requiring Existing Passwords to Comply

If this option is set, the next time users log in through the portal, their passwords are checked for compliance with the password policy. If the password does not comply, a page similar to the following is displayed, and the user is not allowed to log in without changing the password.

Figure 4-4 Change Password

4.3.6 What Users See When They Forget Passwords

After you have installed the iManager plug-ins that shipped with Identity Manager, the Forgotten Password link shows up in the iManager portal (such as https://www.servername.com/nps), as illustrated in the following figure.

Figure 4-5 Forgotten Password in iManager

A similar link is displayed when authenticating through Virtual Office and the Novell Client.

If a user clicks this link, the following page is displayed, asking for the username:

Figure 4-6 Forgotten Password in Virtual Office and Novell Client

After the username is entered, the Forgotten Password settings determine what the user sees.

For example, if the administrator specified in the password policy that a challenge set is used, a page similar to the following is displayed. The user must then answer challenge set questions to prove his or her identity.

Figure 4-7 Forgotten Password Challenge Questions

If the Administrator specified that the Forgotten Password action is Show Hint on Page, a page similar to the following is displayed:

Figure 4-8 Forgotten Password Hint

If the Administrator specified that the Forgotten Password action is E-mail Current Password to User or E-mail Hint to User, a message is displayed saying that the password or hint has been e-mailed. The user receives an e-mail similar to the following:

Figure 4-9 Password Hint E-Mail