Authentication

(Passwords, affecting whether enabled/disabled)

Authentication can be quite basic, or it can be a bit more complex. However, as each user generally needs some sort of credentials, the section about user authentication is listed here in the sections about basic user operations.

[#usrdsabl]: Enabling/Disabling user accounts

One method of disabling a user's ability to log in is to change the credentials, such as the hash of whatever passphrase the user is using. The change can be systemic, such as prepending a sequence (such as a string consisting of a single character) which the end user won't possibly be able to enter, either due to being impossible to the hash algorithm or, a bit less secure but known to effectively work in some scenarios, simply being a string prepended to the password which the end user won't know (and won't likely crack). However, some environments have another setting/property for each user account that indicates whether it is disabled, and so knowing how to make sure the account is enabled can be important.

[#usrnmpw]: Simple logins: Username and basic passphrase
Setting/changing passwords

If the goal of changing a password is to disable an account, another option may be to simply disable a user account. That may even be more effective. (Main the reason that disabling an account may be more effective is that disabling an account may successfully prohibit more possible alternative forms of credential authentication).

Changing a user's password on a Unix machine

Note: This section is about changing passwords that reside on a Unix machine. (If the goal is to use Unix to change a password on another system, the section on changing a password for Microsoft Windows (NT-based) from Unix may be more applicable.)

Use “ passwd username ”. The /etc directory, often mounted on the / mount point, will need to be writable. Generally these directories may be, but they may not be if an account was started in single user mode (generally done to set a password for an account in the wheel group).

To see if this is a problem, run mount. See if the flags show “read-only” or similar (such as a flag of “ro”).

If this is an issue, a generally recommended process is to first check a filesystem, and then change the mount options. OpenBSD's FAQ 8: Dealing with a lost root password provides a recommended approach to remedy that situation. The example from that document was slightly modified to create the following recommended command:

fsck / && mount -uwv / && passwd

... or, for less interactivity (but more possibility of a more automated method causing substantial data loss), the following may work:

fsck -p / && mount -uwv / && passwd

Perform that same sort of command on any other directory that needs to be written to, replacing the references to / with the actual directory needed. One likely location is /etc if it is on its own separate mount point (which it probably is not).

This will check a filesystem and then, if the check indicates there were absolutely no detected problems, will update the mount options to support writability, and will make that update happen verbosely. Note that testing a filesystem might be a quite time-consuming process.

OpenBSD's FAQ on a lost root password also says that “/usr will need to be mounted read-write.” (Hmm, why does /usr need to be writable?)

Once the hard drive is writable, the next step is to use software to change the password of an existing user, or to create a new user (with a known password, or with a password that is then changed). The above examples of commands to type include trying to change a Unix password by using the passwd command. That may work: There may be other commands that can change a password, such as vipw (perhaps more commonly supported, although requiring some substantial knowledge so that a hash may be inserted where needed), or chpass or “ usermod -vp ”.

Changing a user's password on a Microsoft Windows machine

Microsoft KB Q189126: Microsoft policy about lost or forgotten passwords (Microsoft KB Q189126: English release) basically indicates that Microsoft doesn't want to delve too much into providing ways to exploit weaknesses in password implementations. (Many other approaches would probably result in Microsoft needing to either perform actions that embarrass earlier attempts to provide security, and/or be quite self-inconsistent.)

Windows NT-based operating systems
Using the command line

MS KB Q149427: How to Change User Password at Command Prompt (formerly at http://support.microsoft.com/support/kb/articles/Q149/4/27.ASP) shows some options. The general syntax is:

net user customUserName newPassword

The customUserName and newPassword parameters are customizable. However...

For the new password, the recommended password to specify when doing this interactively is an asterisk. Using an asterisk for the new password has a special meaning which causes the net command to prompt (twice?) for the user's new password. To be abundantly clear, and here is what the syntax will look like:

net user customUserName newPassword

In the above example, only the customUserName parameter needs to be customized.

If operating on a Microsoft Windows Active Directory domain, workstations may be able to change the password of a domain account by adding a “ /DOMAIN” command line parameter to the end of the above examples.

Naturally, permission is required for any of these password changes: MS KB Q149427: How to Change User Password at Command Prompt notes, “ Non-administrators receive a "System error 5 has occurred. Access is denied" error message when they attempt to change the password.”

Using a graphical interface
Changing the password for a logged-in user

Pressing Ctrl-Alt-Delete may provide a menu of options, including something like “Change password”.

Changing the password for any user

There is an interface available in the Computer Management MMC snap-in (which may be available by right-clicking on “Computer” or “My Computer” and selecting “Manage”; if that doesn't work, it is easily available from Administrator Tools section, which is available from the Control Panel Applet). This may only be available in certain Server/Pro versions of Microsoft Windows, and not be available in Home varieties.

Another option is to use the Control Panel applet. Once logged on as an authorized user (either the user, or an Administrator account), go to the “User Accounts” control panel applet. The following instructions are meant for Windows XP Home but the process may also be similar for other operating systems. Choose the user to modify. Then, with the chosen user account's name now appearing in the right frame, a hyperlink named “Change the password” will appear in the middle. More details and screenshots are shown by Microsoft KB 894900: Using an Administrator account.

When attempted passwords are being rejected

This could happen due to a user simply forgetting the right password, a problem that occurred when trying to set a new password (accidentally mistyping the same way twice in a row when setting the password, but not doing so again later), or perhaps some other reason such as an “expiration date” for the account.

[#homwxpwd]: Windows XP Home options

Windows XP Home intentionally comes with several ways to help circumvent this problem. (At least some of these methods might be available in other Microsoft Windows operating systems.)

Using an Administrator account

Many people, who weren't saavy enough to successfully change and remember a password, may also not have been aware of a gaping-wide security hole: the account named Administrator is often enabled with a blank password. This might especially be true for Home versions of Microsoft Windows, which might start with a default account (perhaps named “Owner”) that is visible on the default login screen, and then people create other visible accounts and set passwords for all of them, but meanwhile there is still the Administrator account that is avaialble even though it might not be visible on the default login screen. (There may also be an account called “Guest” that is, by default, available for logging into, but not visible on the default login screen.)

Pressing the “three finger salute” combination (Ctrl-Alt-Delete) twice in a row may often reboot a computer, but may also help. Try pressing it once. If, after 4-10 seconds, nothing happens and the computer is still asking for a login, then it is likely that pressing the three finger solute again may switch login interfaces to one that allows the computer's user to type a user account and password. This will allow a user to simply type the desired account name (e.g. Administrator).

Booting into Safe Mode might show a logon screen that allows people to choose the username, but also end up showing the Administrator account that may be logged into. Microsoft KB 894902: Setting a new password as an administrator shows this approach. However, this does require booting the computer into safe mode, unlike using the double-Ctrl-Alt-Delete method. also be helpful. (Perhaps the reason is simply because then the Administrator account will show up as a choosable account.)

Password Hint

Microsoft KB 894900: Lost Windows XP Home passwords provides an introduction and some details about setting up alternate credentials in the form of a “password hint”, and using such a hint if it has already been set up (by clicking on a ? icon nearby the button to submit a password).

These hints are set when changing a password.

Password reset disk
Microsoft KB 894900: Using a password reset disk explains how to use this sort of disk (which contains information that can be used to reset a specific user account). The process involves having a tooltip-like information bubble point to the password box and provide a “use your password reset disk” hyperlink. This spawns a GUI that will ask for the reset disk to be inserted into the A: (which implies a floppy disk drive). This also requires having preparation: the password disk is created from the “User Accounts” control panel applet by selecting a user and then choosing “Prevent a forgotten password” hyperlink in the left frame. The process creates a new password reset disk and breaks the usability of any older password reset disks that may have been created in the past (for the same user account). Note that the disk may remain valid even if the user changes the account's password.

If all else fails, troubleshooting section does/will have some details to help.

Using a network request

An Active Directory Primary Domain Controller may accept password changes.

The most well-known way may be for the client to change the password locally on the machine, such as using a grpahical interface by pressing Ctrl-Alt-Delete and choosing to change a password. Another method may be to use tools that handle the Samba protocol. net uses the Samba protocol, and indeed this may be done using “ net user username * /DOMAIN ”. (The only portion of that command which needs to be customized is the specified username.) Likewise, Unix systems can use smbpassword with the “ -r NetBIOSMachName -U username ” parameters.

[#mswpwunx]: Changing a password for Microsoft Windows (NT and descendents), using Linux

One option that may exist from a remote computer is to use a network request.

Another option may be to boot into Linux. The general process involves having the machine, the one that has used Microsoft Windows, boot into an operating system using Linux. Some Linux distributions come with software that can perform this sort of password change. Others may be able to install a software package with such software. Details on the general process may be in the section about troubleshooting: more challenging steps to change a lost password for logging into an operating system.

Note: This section is documentation of information that is widely reported on various sites, but which may not have been fully verified by the author of this text. Determine relevant risk factors before proceeding.

Petter N Hagen's chntpw

One option may be to use boot images by Petter N Hagen, which contain the chntpw program. (There is a “Download” section on the page.)

Some other distributions may be known to include this software, such as SystemRescueCD.

(From the system32/config/ subdirectory under where Windows was installed, as root, use “ chntpw -u username SAM ”. Example text is shown at Ubuntucat's archive on resetting a Windows password with Ubunutu.)

Note: Some experience (perhaps on Windows Server 2008 R2) has indicated that changing the password may have an unexpected effect of making some other change to the account's status. It may be worthwhile, immediately after changing the password, to run the program again and make sure the account is listed as being unlocked/enabled.

Win9x

HTML version of Samba's online documentation for the smbpasswd command says, “Note that Windows 95/98 do not have a real password database so it is not possible to change passwords specifying a Win95/98 machine as remote machine target.” Although there may be some sort of multi-user support for these machines,

The Control Panel's Network icon may have an option about what login method is used when the system starts up. This can affect whether a password prompt is shown.

ComputerHope.com guide has some information, such as passwords and/or profile information being in *.PWL files and/or the profiles\ subdirectory under where Windows was installed.

More info may be found from: Microsoft KB 152104: Preventing an interactive Win9x/ME Login Prompt at Startup, MS KB 135586: Hiding the last logged on username (in Win95), MS KB 140709: Caching an NT domain password (in Win9x/ME), SoftStack.com Guide: Getting Win98 to save a login password

Dealing with lost logins

See: lost passwords.

[#authkeyf]: “Key file”-based authentication
These are typically more secure than basic typed passphrases due to a substantially longer “secret”. They can also be automated, so once implemented, can even be easier to use than simple logins.
[#otpauth]: One-time passwords
Nomenclature
“One-Time Passwords”, with a hyphen between the first couple of words and not the latter words, is the way that the words are written in RFC 2289. Certainly there are many uses of the phrase “One Time Passwords” without any hyphens.
Overview

A mixture of a neat/new technology (one time credentials) and an archaic technology that is best replaced (passwords).

The basic idea of one-time passwords is that a secret (key/passphrase) is used to generate a series of credentials (such as passphrases). In at least some cases, the same sequence of credentials may be easily recreated as long as the same secret is used to seed the same algorithm. Therefore, if a portable device (such as a laptop or something smaller such as a PDA or perhaps a cell phone) is available to re-generate the sequence of credentials. If a keyboard logger captures a passphrase that is successfully used, that should not cause a breach of security because those exact same credentials will not be accepted again. The next time the person logs in, different credentials from the same series will be required.

The effectiveness is discussed in RFC 3631 Section 3.1.

For this to work, the software which is requesting credentials needs to support the one-time password feature. At minimum, the software needs to invalidate credentials that are accepted so that they do not work again. (Typically, the way that the authenticating software, such as a remote command line or an FTP site, invalidates such credentials is to call a function/plugin/module which performs the authentication and will invalidate any successfully used credential.) Typically the software, when authentication, will also report a number which represents a specific set of credentials: The user logging in can then use that number along with the credentials that were created from the secret key/passphrase, and by using that information the user can realize a single set of credentials that the software is looking for.

There are multiple implementations for one-time passwords. For further details, see One-Time Password Authentication.

Identifying by URL

For example, with OpenID.

Biometric reading technology
Some laptops have a fingerprint scanner.