Wikis - Page

SecureLogin -- Enforcing strong passwords for websites and forcing periodic password changes with random passwords

0 Likes
Description:

This document provides an example web script to assist one in enhancing the security and automation of internal or external web sites. This script was written for Google's Gmail, but can be used as a baseline to get started for other sites.

Questions:

  • Have you ever been concerned about an external or internal website that isn't as secure as you would like it to be?


  • Do users often forget their password for the website and are calling the helpdesk?


  • Would you prefer that users not know their password to the website, but have a random password that is complex, but still allows the user to have access?


  • Do you not have time to federate the site using ADFS or NetIQ Access Manager?


  • Do you wish that the website forced users to change passwords periodically?


  • Do you want password complexity enforced on the site?



Features:


  1. Uses SecureLogin's Password Policies to enforce password complexity. User's aren't bothered by the complexity as they are automatically authenticated to the website when they go to the site. Users won't be writing their passwords down as any workstation with SecureLogin installed would be able to provision and authenticate them to the site without prompting them for the password.


  • Sets a random password for the user. SecureLogin can be configured so the user would be allowed/disallowed to look at the existing password or prior password. Only the user in question has rights to look at the current and prior password, if one so desires. SecureLogin retains the current random password in an encrypted form for the user and automatically authenticates the users to the site. Not only is the user not needing to maintain their password, but the randomizing of the password provides a much more secure password than most users would supply.


  • When a password hasn't been changed for over 45 days, it redirects to the change password page and automatically sets a random password for the user. An example of a password generated by this script is: "7aP\x@omhAJ<yUpd_R-p4fX;I1".




custom web script:

Note that this is not a complete script pasted directly below. For the full script go to the bottom of the page.

#=============================================================

# EXE/ID: accounts.google.com
# Name: Gmail
# Type: Web
# Version: 1
# Created By: Fred Patterson NetIQ Consulting
# Purpose: web script example of password policy enforcement, random password generation, and automated password change to a random password after 45 days
#
#
# example of password complexity: 7aP\x@omhAJ<yUpd_R-p4fX;I1
# To use the script you need a credential called "pwdchangeTime" with the MS time format. Example 1409007708.
# Default is to change the password every 45 days. The example time format listed above would set the password to be expired on the initial login.
# password policy needs to be created and called gmailPwdPolicy
#
# Thoroughly test script across a handful of workstations prior to deploying to a large number of users. No substantial testing was performed with this script. NetIQ support and ##consulting are in no way liable for the use of this script.
# This script is to be used as a guide in building out a solution.
#=============================================================

###########################################################
## BeginSection: "Evaluate Password age" -- Custom script
## Site line: We are specifying that the site has to be mail.google.com/mail. As most people use their mail frequently, this is a good page to check password age as it would be hit ##often
## MatchURL line: looks for anything for the mail.google.com being in the URL.
##
## We use the Subtract and divide commands to calculate how many days since the password was last changed. The value 86400 is the number of seconds in a day.
## ?CurrTime(System) is getting the number of seconds since 1970, based on MS Windows time parameters. This should work regardless of the directory being used to store ##data.
## If it has been more than 45 days, we will direct the user to the change password site
###########################################################
Site "mail.google.com/mail" -initial
MatchURL -regex "mail.google.com"
Set ?changetime $pwdchangeTime
Set ?current ?CurrTime(system)
Subtract ?Current ?changetime ?timea
Divide ?timea 86400 ?timeb
# Uncomment the MessageBox line below to see the values of the variables
#MessageBox current time: ?Current ---- password change time: ?changetime ----- timea: ?timea ----- timeb: ?timeb
If ?timeb Gt 45
ClearSite Gmail
GoToURL "https://accounts.google.com/b/0/EditPasswd"
EndIf
EndScript

##########################################################
## BeginSection: "Change Password" --Custom Script
## RestrictVariable command allows for the password to conform to the password policy. When a user initially sets their password on first login, they
## don't have to meet the complexity. However, if the pwdchangeTime value is out by default over 45 days, it will force the random password change immediately
##
## For troubleshooting purposes we allow for the LastPasswordChangeTime to be available so that it can easily be read as to what date the password was last changed
## After the password change is completed, we redirect them to their mail so that they will not attempt to change their password. If they go to the accounts password ##page to manually change their password, the script will detect this and automatically direct them to and automatically change their password again.
##########################################################
Site “accounts.google.com/b/0/EditPasswd”
MatchURL -regex "accounts.google.com/b/0/EditPasswd"
## Modify the below MessageBox line to have it conform to your policies and guidelines.
MessageBox "Only corporate gmail accounts can be accessed from this computer. The System is changing the Password for gmail to a random password. Do not interfere in this process or it may lead to you not being able to login. The single sign on software will automatically log you in to the gmail system upon successful authentication"
RestrictVariable $Passwordnew gmailPwdPolicy
Set $PasswordBackup $Password
Type $Password #1
ChangePassword $Passwordnew Random
Type $Passwordnew #2
Type $Passwordnew #3
Submit
Set $Password $Passwordnew
Set $pwdchangeTime ?CurrTime(system)
ConvertTime ?CurrTime(system) ?LastPwdChangeTime
Set $LastPwdChangeTime ?LastPwdChangeTime
GoToURL "https://mail.google.com/mail"
MessageBox "The password change is complete. Thank you, you may continue accessing your mail"
endsite


Prerequisites for the script:


  1. There needs to be a password policy created. See the below image as an example. Note that the name of the policy matters as it is called in the script in the line: RestrictVariable $Passwordnew gmailPwdPolicy.

    gmail pwd policy





  • The credential for gmail must include the property pwdchangeTime with a value similar to: 1409007708. This value is the number of seconds since Jan 1, 1970. If you want to make sure that the password is randomized on the initial authentication, make sure the value represents a date older than 45 days, or whatever the number of days you specify. This value would be set on the container object to be effective for all users under that container.

    pwdchangeTime




  • Make sure you are using a supported web browser and version based on the SecureLogin documentation.



Additional information:

Below is an image showing an example of what the credentials would look like for an existing user. There is no option to view the passwords for the administrator logged in when taking this screen-shot. If the user has permissions to view their credentials, they will have the option to see the password values if it is enabled in the SecureLogin properties. It does show the last time the password was changed was Dec 19. It also shows that same value in the MS time format of the number of seconds since Jan 1, 1970. The PasswordBackup will be the value of the prior password to it being changed. We also store what we are attempting to change the password to. We store these values in case the process is ever interrupted and the user needs to login manually with the old password, assuming the old password is still valid as the new password wasn't actually set for the user.

gmail credential example



If you are looking to use this for a different site you will want to look at modifying the following variables or commands: Site, MatchURL, ClearSite, GoToURL, RestrictVariable, and the Type command. With the Type command it will depend on the website and if it requires the old password or not. See the Application Definition guide for more information on the various commands. For version 8 it can be found here: https://www.netiq.com/documentation/securelogin8/pdfdoc/application_definition_guide/application_definition_guide.pdf

Full Web Script:

Due to word wrapping enforcement with this document, the script will need to have a few minor changes, primarily in the comment section. Make sure that there is a pound sign "#" in front of each line in the comment section.

#=============================================================
# EXE/ID: accounts.google.com
# Name: Gmail
# Type: Web
# Version: 1
# Created By: Fred Patterson NetIQ Consulting
# Purpose: web script example showing password policy enforcement, random password generation, and automated password change to a random password after 45 days
#
#
# example of password complexity: 7aP\x@omhAJ<yUpd_R-p4fX;I1
# To use the script you need a credential called "pwdchangeTime" with the MS time format. Example 1409007708.
# Default is to change the password every 45 days. The example time format listed above would set the password to be expired on the initial login.
# password policy needs to be created and called gmailPwdPolicy
#
# Prior to deploying in a production environment, thoroughly test the script across several pilot and lab workstations prior to deploying to a large number of users.

# This script is to be used as a guide in building out a solution.
#=============================================================

## BeginSection: "Login Form" --- default from Web Wizard
Site "Gmail" -initial
DebugPrint "Conducting Match on login form Gmail"
MatchForm #1 -name ""
MatchField #1:17 -type "email" -name "Email"
DebugPrint "Matched Field 'Email'"
MatchField #1:18 -type "password" -name "Passwd"
DebugPrint "Matched Field 'Passwd'"
MatchField #1:19 -type "submit" -name "signIn"
DebugPrint "Matched Field 'signIn'"
EndSite
DebugPrint "Successfully matched login form Gmail"
SetPrompt "Email"
FocusInput #1:17
TextInput #1:17 -value "$username"
DebugPrint "Performed entry action TextInput $username into control id#1:17"
SetPrompt "Password"
FocusInput #1:18
TextInput #1:18 -value "$password"
DebugPrint "Performed entry action TextInput $password into control id#1:18"
SetPrompt "Please edit your login variables."
FocusInput #1:19
PressInput #1:19
DebugPrint "PressInput action performed"
EndScript
## EndSection: "Login Form"
## BeginSection: "Login Form" --- default from web wizard
Site "Gmail" -recent 5000
DebugPrint "Conducting Match on login form Gmail"
MatchForm #1 -name ""
MatchField #1:17 -type "email" -name "Email"
DebugPrint "Matched Field 'Email'"
MatchField #1:18 -type "password" -name "Passwd"
DebugPrint "Matched Field 'Passwd'"
MatchField #1:19 -type "submit" -name "signIn"
DebugPrint "Matched Field 'signIn'"
EndSite
DebugPrint "Successfully matched login form Gmail"
if -exists $username
Displayvariables $username $password
Endif
SetPrompt "Email"
FocusInput #1:17
TextInput #1:17 -value "$username"
DebugPrint "Performed entry action TextInput $username into control id#1:17"
SetPrompt "Password"
FocusInput #1:18
TextInput #1:18 -value "$password"
DebugPrint "Performed entry action TextInput $password into control id#1:18"
SetPrompt "Please edit your login variables."
FocusInput #1:19
PressInput #1:19
DebugPrint "PressInput action performed"
EndScript
## EndSection: "Login Form"
## BeginSection: "Login Form" --- default from web wizard
Site "Gmail" -subsequent
DebugPrint "Conducting Match on login form Gmail"
MatchForm #1 -name ""
MatchField #1:17 -type "email" -name "Email"
DebugPrint "Matched Field 'Email'"
MatchField #1:18 -type "password" -name "Passwd"
DebugPrint "Matched Field 'Passwd'"
MatchField #1:19 -type "submit" -name "signIn"
DebugPrint "Matched Field 'signIn'"
EndSite
DebugPrint "Successfully matched login form Gmail"
MessageBox "Do you wish to re-login?" -YesNo ?Result -DefaultNo
If ?Result Eq "No"
EndScript
EndIf
SetPrompt "Email"
FocusInput #1:17
TextInput #1:17 -value "$username"
DebugPrint "Performed entry action TextInput $username into control id#1:17"
SetPrompt "Password"
FocusInput #1:18
TextInput #1:18 -value "$password"
DebugPrint "Performed entry action TextInput $password into control id#1:18"
SetPrompt "Please edit your login variables."
FocusInput #1:19
PressInput #1:19
DebugPrint "PressInput action performed"
EndScript
## EndSection: "Login Form"

###########################################################
## BeginSection: "Evaluate Password age" -- Custom script
## Site line: We are specifying that the site has to be mail.google.com/mail. As most people use their mail frequently, this is a good page to check password age.
## MatchURL line looks for anything for the mail.google.com being in the URL.
##
## We use the Subtract and divide commands to calculate how many days since the password was last changed. The value 86400 is the number of seconds in a day.
## ?CurrTime(System) is getting the number of seconds since 1970, based on MS Windows time parameters
## If it has been more than 45 days, we will direct the user to the change password site
###########################################################
Site "mail.google.com/mail" -initial
MatchURL -regex "mail.google.com"
Set ?changetime $pwdchangeTime
Set ?current ?CurrTime(system)
Subtract ?Current ?changetime ?timea
Divide ?timea 86400 ?timeb
# Uncomment the MessageBox line below to see the values of the variables
#MessageBox current time: ?Current ---- password change time: ?changetime ----- timea: ?timea ----- timeb: ?timeb
If ?timeb Gt 45
ClearSite Gmail
GoToURL "https://accounts.google.com/b/0/EditPasswd"
EndIf
EndScript

##########################################################
## BeginSection: "Change Password" --Custom Script
## RestrictVariable command allows for the password to conform to the password policy. When a user initially sets their password on first login, they
## don't have to meet the complexity. However, if the pwdchangeTime value is out by default over 45 days, it will force the random password change immediately
##
## For troubleshooting purposes we allow for the LastPasswordChangeTime to be available so that it can easily be read as to what date the password was last changed
## After the password change is completed, we redirect them to their mail so that they will not attempt to change their password. If they go to the accounts password

##page to manually change their password, the script will detect this and automatically direct them to and automatically change their password again.

##########################################################

Site “accounts.google.com/b/0/EditPasswd”
MatchURL -regex "accounts.google.com/b/0/EditPasswd"
## Modify the below MessageBox line to have it conform to your policies and guidelines.
MessageBox "Only corporate gmail accounts can be accessed from this computer. The System is changing the Password for gmail to a random password. Do not interfere in this process or it may lead to you not being able to login. The single sign on software will automatically log you in to the gmail system upon successful authentication"
RestrictVariable $Passwordnew gmailPwdPolicy
Set $PasswordBackup $Password
Type $Password #1
ChangePassword $Passwordnew Random
Type $Passwordnew #2
Type $Passwordnew #3
Submit
Set $Password $Passwordnew
Set $pwdchangeTime ?CurrTime(system)
ConvertTime ?CurrTime(system) ?LastPwdChangeTime
Set $LastPwdChangeTime ?LastPwdChangeTime
GoToURL "https://mail.google.com/mail"
MessageBox "The password change is complete. Thank you, you may continue accessing your mail"
endsite


 

 

Labels:

How To-Best Practice
Comment List
Related
Recommended