Novell Documentation: Novell SecureLogin 3.51 SP2

Managing Passphrases

This section provides information on the following:

How SecureLogin Uses Passphrases

When users first log in after SecureLogin is installed, they are prompted to enter a passphrase.

A passphrase consists of a passphrase question and a passphrase answer. The passphrase is used to verify and authenticate the user. The passphrase ensures that only the authorized user has access to that user's single-sign-on applications.

In standalone environments, a password is used instead of a passphrase. This password is required each time the user starts the workstation or SecureLogin for authentication.

NOTE: You can't manage passphrase security in standalone mode.

The passphrase should not be confused with the normal login. A passphrase is used to protect the user's single sign-on credential information.

For example, in a directory environment, a rogue administrator can potentially log in to the network as the user by resetting the network password. Whenever SecureLogin recognizes that tampering or an administrative password change has been performed on the user's account, SecureLogin prompts for the passphrase. Without knowing the passphrase, the rogue administrator can't access the user's applications that are enabled for single sign-on.

The passphrase question and answer help you access your login data in the following situations:

You are working remotely or offline.
The network is down or isn't accessible.
You forget your directory password and have it reset for you.
Your credential store was locked when an administrator inappropriately reset your directory password.

NOTE: For a passphrase to display properly on multi-byte platforms (for example, Japanese and Chinese), users must use single-byte characters when entering a passphrase.

If you use Novell SecretStore, a specially-designated SecretStore Administrator might unlock your directory-based data stores on your behalf. For more information, see "Setting Up a SecretStore Administrator" in the Novell SecretStore 3.3.3 Administration Guide.

Providing Passphrase Questions

You can provide preset passphrase questions for users to respond to, enable users to enter their own passphrase question, or do both.

By default, users can enter their own passphrase questions.

Passphrase questions can have up to 255 characters.

IMPORTANT: If a user forgets the passphrase answer, that user's object data must be deleted and the passphrase reset. This action means that the user loses all the SecureLogin data, including application login credentials. Therefore, because the passphrase question is infrequently asked, the passphrase answer should be one that the user can easily remember, but one that others can't easily guess.

Using ConsoleOne to Provide Questions

Right-click a Container object, then click Properties.

You can provide passphrase questions for User objects, if a user has used SecureLogin and set a passphrase question.
Click Novell SecureLogin, then select Advanced Settings.
In the Passphrase Questions dialog box, click New.
Type a question, then click OK.

To edit a passphrase question, select it, click Edit, make changes, then click OK.
Click Apply.

Using MMC to Provide Questions

Select Start > Administrative Tools > Active Directory Users and Computers.
Right-click the relevant container or OU (for example, Users).
Select Properties > SecureLogin SSO > Settings.
Click Advanced Settings, then click New.
Type a passphrase question in the Enter a Passphrase Question edit box.
Click OK.

The passphrase question displays to all users associated with the container or OU.

Disabling User-Set Passphrase Questions

You can disallow user-set questions and require users to select a preset question.

Using ConsoleOne to Disable Questions

Select Novell SecureLogin > General Settings, then click Settings.
Click Prevent Users from Entering a Passphrase Question, click Edit, select Yes from the drop-down list, click OK, then click Apply.

Using MMC to Disable Questions

On the Settings tab, click Advanced Settings.
Deselect Allow Users to Enter a Passphrase Question.
Click OK.

Customizing Instructions for Passphrases

When users first log in after installing SecureLogin, SecureLogin prompts them to select a passphrase question and type an answer. See How SecureLogin Uses Passphrases. You can edit that text and provide customized instructions for your organization.

Using ConsoleOne to Customize Instructions

Click Settings.
Select Customize Text for the Passphrase Setup Dialog Box, then click Edit.

NOTE: Because the primary data store is unavailable in standalone mode, many SecureLogin management features are not available in that mode.
Type text in the Value pane, then click OK.
Click Apply.
Test the text by logging in as a new test user.

Using MMC to Customize Instructions

On the Settings tab, click Advanced Settings.
Check Use a Customized Prompt to Change a Passphrase Question.
Type the text that you want users to read.
Click OK.
Test the text by logging in as a new test user.

Using a Passphrase Policy

By default, SecureLogin requires a passphrase answer that has at least six characters. To set additional requirements:

Click Settings.
Scroll to and select Use a Passphrase Policy.
In the Editing a Setting dialog box, require a passphrase policy by changing the value to Yes.
(Optional) To edit the passphrase policy, click Edit Policy.
1. Select a setting, then click Edit.
  
  The following figure illustrates Basic passphrase policy settings that you can change:
  
  To view advanced settings, select Advanced from the drop-down list. To view Basic and Advanced settings, select All from the drop-down list.
2. In the Editing a Setting dialog box, change the value, then click OK twice.
  
  The Advanced settings for passphrase policies are the same as for password policies. See the table of default values in Creating or Editing a Password Policy.
Save the setting by clicking OK twice.