Building Upon the Concept from AutogeneratedPasswo rd (fwd)

Hi jd,

We’ve recently implemented a PHP driven password reminder system for our
self-service users. They enter an e-mail address which is checked against
the DB (we use postgres8). Valid addresses get login details e-mailed back
out to the supplied address.
http://www.hpa-bioinfosupport.org.uk/RT/

AFAIK it’s not possible to easily backtrack from an MD5 encrypted string, so
our system involves resetting the password to a standard pattern within the
system. Resetting the password seems to be the best way, but I’m prepared
(and expecting) to be corrected.

Steve

Steve Platt
Bioinformatics Support Co-ordinator
Bioinformatics Unit: Statistics, Modelling & Bioinformatics Department
Center for Infections
Health Protection Agency
61 Colindale Avenue
London
UK
NW9 5EQ
http://www.hpa.org.uk/srmd/bioinformatics/index.htm-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of
doogles@doogles.com
Sent: Thursday,16 February 2006 02:20
To: rt-users@lists.fsck.com
Subject: [rt-users] Building Upon the Concept from AutogeneratedPassword
(fwd)

It occured to me that the passwords are encrypted in the database, which
is likely the reason this isn’t trivial. Is the password encryption
one-way? Is this something I could turn off?

The customers we have using RT love the SelfService interface, but as I
mentioned, they tend to forget their password. Has anyone else done up
something like a “Forgot password, send me a new one”-type functionality
that they would be willing to share? This has become quite an
administration headache for me.

-jd

---------- Forwarded message ----------
Date: Mon, 13 Feb 2006 05:46:37 -0500 (EST)
From: doogles@doogles.com
To: rt-users@lists.fsck.com
Subject: [rt-users] Building Upon the Concept from AutogeneratedPassword

RT Users–

(I’m running RT 3.4.5.)

I recently modified my Autocreate templates to include the logic suggested
in
the AutogeneratedPassword page in the BestPractical wiki. This works well.
However, my user base has a usage pattern which has them interfacing with RT

“once and awhile”, and they tend to forget what their password is.

I would like to build upon the AutogeneratedPassword template to email
username/password every time they open up a ticket.

I tried a couple of different things without success. Would anyone care to
suggest the ‘right’ way to accomplish this? I would be happy to update the
Wiki after I successfully implement this.

Thanks!,
-jd
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Download a free sample chapter of RT Essentials from O’Reilly Media at
http://rtbook.bestpractical.com

WE’RE COMING TO YOUR TOWN SOON - RT Training in Amsterdam, Boston and
San Francisco - Find out more at
http://bestpractical.com/services/training.html
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Download a free sample chapter of RT Essentials from O’Reilly Media at
http://rtbook.bestpractical.com

WE’RE COMING TO YOUR TOWN SOON - RT Training in Amsterdam, Boston and
San Francisco - Find out more at
http://bestpractical.com/services/training.html

The information contained in the EMail and any attachments is
confidential and intended solely and for the attention and use of the
named addressee(s). It may not be disclosed to any other person without
the express authority of the HPA, or the intended recipient, or both.
If you are not the intended recipient, you must not disclose, copy,
distribute or retain this message or any part of it. This footnote also
confirms that this EMail has been swept for computer viruses, but
please re-sweep any attachments before opening or saving.
HTTP://www.HPA.org.uk *************************************************

Steven–

Hrm, is there any authentication to this? I’m thinking something like the
e-commerce folks use, email out a big long string that needs to be passed
back to the server. If you don’t really have access to that email
address, you can’t change the password. If you do, then you click the
link and are given the option to reset your password.

What do you think?

-jdOn Thu, 16 Feb 2006, Steven Platt wrote:

Hi jd,

We’ve recently implemented a PHP driven password reminder system for our
self-service users. They enter an e-mail address which is checked against
the DB (we use postgres8). Valid addresses get login details e-mailed back
out to the supplied address.
http://www.hpa-bioinfosupport.org.uk/RT/

AFAIK it’s not possible to easily backtrack from an MD5 encrypted string, so
our system involves resetting the password to a standard pattern within the
system. Resetting the password seems to be the best way, but I’m prepared
(and expecting) to be corrected.

Steve

Steve Platt
Bioinformatics Support Co-ordinator
Bioinformatics Unit: Statistics, Modelling & Bioinformatics Department
Center for Infections
Health Protection Agency
61 Colindale Avenue
London
UK
NW9 5EQ
http://www.hpa.org.uk/srmd/bioinformatics/index.htm

-----Original Message-----
From: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com] On Behalf Of
doogles@doogles.com
Sent: Thursday,16 February 2006 02:20
To: rt-users@lists.fsck.com
Subject: [rt-users] Building Upon the Concept from AutogeneratedPassword
(fwd)

It occured to me that the passwords are encrypted in the database, which
is likely the reason this isn’t trivial. Is the password encryption
one-way? Is this something I could turn off?

The customers we have using RT love the SelfService interface, but as I
mentioned, they tend to forget their password. Has anyone else done up
something like a “Forgot password, send me a new one”-type functionality
that they would be willing to share? This has become quite an
administration headache for me.

-jd

---------- Forwarded message ----------
Date: Mon, 13 Feb 2006 05:46:37 -0500 (EST)
From: doogles@doogles.com
To: rt-users@lists.fsck.com
Subject: [rt-users] Building Upon the Concept from AutogeneratedPassword

RT Users–

(I’m running RT 3.4.5.)

I recently modified my Autocreate templates to include the logic suggested
in
the AutogeneratedPassword page in the BestPractical wiki. This works well.
However, my user base has a usage pattern which has them interfacing with RT

“once and awhile”, and they tend to forget what their password is.

I would like to build upon the AutogeneratedPassword template to email
username/password every time they open up a ticket.

I tried a couple of different things without success. Would anyone care to
suggest the ‘right’ way to accomplish this? I would be happy to update the
Wiki after I successfully implement this.

Thanks!,
-jd


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Download a free sample chapter of RT Essentials from O’Reilly Media at
http://rtbook.bestpractical.com

WE’RE COMING TO YOUR TOWN SOON - RT Training in Amsterdam, Boston and
San Francisco - Find out more at
http://bestpractical.com/services/training.html


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Be sure to check out the RT Wiki at http://wiki.bestpractical.com

Download a free sample chapter of RT Essentials from O’Reilly Media at
http://rtbook.bestpractical.com

WE’RE COMING TO YOUR TOWN SOON - RT Training in Amsterdam, Boston and
San Francisco - Find out more at
http://bestpractical.com/services/training.html




The information contained in the EMail and any attachments is
confidential and intended solely and for the attention and use of the
named addressee(s). It may not be disclosed to any other person without
the express authority of the HPA, or the intended recipient, or both.
If you are not the intended recipient, you must not disclose, copy,
distribute or retain this message or any part of it. This footnote also
confirms that this EMail has been swept for computer viruses, but
please re-sweep any attachments before opening or saving.
HTTP://www.HPA.org.uk *************************************************


JD, Urivan & all,

- User A logs into RT - User A is really busy changing tickets - User B requests a password change using User A's email

Will the system prompt User A in the next submit he makes?

I probably should’ve explained what we’ve done more clearly.

As it’s not possible to recover an MD5 encrypted string we just overwrite
the old pwd with the new one. Both pwds conform to a standard format so what
happens is that both old & new pwds are the same.
The system doesn’t allow a user to specify their pwd, it’s generated from
the e-mail address they give the reminder script (the potential problem
spotted by Urivan should never crop up).
This is also the check…the address must be linked to an RT self service
account or else no reminder.

We’ve got a fairly low ticket turnover and a localised user base of only a
couple of hundred people, each with access to the e-mail accounts they use
to access RT, so more advanced authentication systems aren’t really
necessary.

Despite the small setup, it was a nightmare to manage our helpdesk before we
started with RT. Excellent system!

Steve
Bioinformatics
Health Protection Agency, UK-----Original Message-----
From: doogles@doogles.com [mailto:doogles@doogles.com]
Sent: Friday,17 February 2006 01:24
To: Steven Platt; rt-users@lists.fsck.com
Subject: RE: [rt-users] Building Upon the Concept from AutogeneratedPasswo
rd (fwd)

Steven–

Hrm, is there any authentication to this? I’m thinking something like the
e-commerce folks use, email out a big long string that needs to be passed
back to the server. If you don’t really have access to that email
address, you can’t change the password. If you do, then you click the
link and are given the option to reset your password.

What do you think?

-jd

The information contained in the EMail and any attachments is
confidential and intended solely and for the attention and use of the
named addressee(s). It may not be disclosed to any other person without
the express authority of the HPA, or the intended recipient, or both.
If you are not the intended recipient, you must not disclose, copy,
distribute or retain this message or any part of it. This footnote also
confirms that this EMail has been swept for computer viruses, but
please re-sweep any attachments before opening or saving.
HTTP://www.HPA.org.uk *************************************************

doogles@doogles.com wrote:

Hrm, is there any authentication to this? I’m thinking something like
the e-commerce folks use, email out a big long string that needs to be

We do something along those lines at Rice – if a user requests a new
password, RT sends a confirmation e-mail to them, and they must reply to
the confirmation e-mail leaving the Subject line intact to get a new
password. It’s all done with custom scrips on a special queue.

Rick R.

Rick Russell
For computer help, call xHELP (x4357 or 713-348-4357)
OpenPGP/GnuPG Public Key at ldap://certificate.rice.edu
761D 1C20 6428 580F BD98 F5E5 5C8C 56CA C7CB B669
Helpdesk Supervisor, Client Services
IT/Academic & Research Computing
Rice University
Voice: 713.348.5267 Fax: 713.348.6099