What is a password

Download Report

Transcript What is a password

OU Passwords
What they all mean
What is a password


Webster’s Online Dictionary describes a
password as “a sequence of characters
required for access to a computer system”
(www.m-w.com)
OU passwords are associated with an
OUNetID and allow access to all of the
secure IT services.
Security

OU passwords should be 5 to 8 characters
–
–

Special characters are allowed (e.g. [ & $ ! < / )
The only requirement is that you cannot have a <Space> as
the leading character in a password.
Passwords are not perfectly secure and can be
cracked.
–
To prevent this from happening, it is recommended that
passwords use the full 8 characters and include lower and
upper case letters, numbers and special characters.
Security (continued)


Passwords should not be something that is
easily guessed (e.g. spouses name, birthday,
boomer or sooner, pet’s name)
There are also word lists of pop culture
subjects (e.g. all the planets in Star Trek or
different types of ships in Star Wars). So it is
ill advised to use a term from pop culture (or
even the dictionary) as your password.
Security (continued)

In an effort to prevent hackers from trying
multiple passwords until they find the correct
password, OU accounts on the Sooner
domain will become “locked” after several
failed attempts at logging into a resource.
–
When an account becomes locked, it is
inaccessible to the customer until they contact the
Helpdesk and we unlock their account.
Just one password?

OU IT currently maintains several password stores
–
–
–
–
–
–
–
NT domains (admin, academic, sooner, ou, ounet, image)
Oracle
Old LDAP
New LDAP
CICS/TSO
Sybase
Newsgroups
NT Domain Passwords



The NT 4.0 Domain Controllers store information
about the computers that attach to it
There are several other NT Domains on campus that
IT does not maintain (SATTRN, HOUSING,
ATHLETIC).
The passwords for the NT domains are separate
from the other passwords and do not necessarily
synchronize with the other password stores
–
This might result in a customer having more than one
password associated with their OUNet ID
Sooner Domain



This is the Active Directory (AD) password.
The AD domain controllers are just a big
LDAP server that stores lots of things.
Whenever someone connects to the Sooner
domain, the password they enter is verified
against that stored in domain controller.
Oracle

Oracle is a database that is eventually going
to feed everything
–

That is, once you put someone into Oracle, they
will eventually get populated into all the other
databases
The password stored in this database is
changed via the SupportTool
LDAP

Lightweight Directory Access Protocol
–

LDAP is a well accepted protocol and is easy
to access
–

It’s a big database to store user info
For example, if you want to use password security
for a web service, this would be a good protocol
to which to connect
A more thorough description is on the next
two screens.
LDAP (continued)

LDAP (Lightweight Directory Access Protocol) is a software protocol for
enabling anyone to locate organizations, individuals, and other resources such
as files and devices in a network, whether on the public Internet or on a
corporate intranet. LDAP is a "lightweight" (smaller amount of code) version of
Directory Access Protocol (DAP), which is part of X.500, a standard for
directory services in a network. LDAP is lighter because in its initial version it
did not include security features. LDAP originated at the University of Michigan
and has been endorsed by at least 40 companies. Netscape includes it in its
latest Communicator suite of products. Microsoft includes it as part of what it
calls Active Directory in a number of products including Outlook Express.
Novell's NetWare Directory Services interoperates with LDAP. Cisco also
supports it in its networking products. In a network, a directory tells you where
in the network something is located. On TCP/IP networks (including the
Internet), the domain name system (DNS) is the directory system used to relate
the domain name to a specific network address (a unique location on the
network). However, you may not know the domain name. LDAP allows you to
search for an individual without knowing where they're located (although
additional information will help with the search).
source: www.whatis.com
LDAP (continued)

An LDAP directory is organized in a simple "tree" hierarchy consisting of the
following levels:
–
–
–
–
–

The root directory (the starting place or the source of the tree), which branches out to
Countries, each of which branches out to
Organizations, which branch out to
Organizational units (divisions, departments, and so forth), which branches out to
(includes an entry for)
Individuals (which includes people, files, and shared resources such as printers)
An LDAP directory can be distributed among many servers. Each server can
have a replicated version of the total directory that is synchronized periodically.
An LDAP server is called a Directory System Agent (DSA). An LDAP server that
receives a request from a user takes responsibility for the request, passing it to
other DSAs as necessary, but ensuring a single coordinated response for the
user.
source: www.whatis.com
LDAP (continued)

IT currently maintains a primary LDAP server
–
Chewy


This server is part of the new POP main system and will
become the primary LDAP server to which people
connect
Customer can access this server by using either
ldapv3.ou.edu (the preferred method) or ldap.ou.edu.
CICS/TSO

These passwords are used to access either
CICS or TSO (via either the SNA client or
Host On Demand).
–
–
–
This allows the user to interact with the
mainframe
These passwords cannot start with a number
This password can never be reset to a password
previously used by the customer
Sybase



Sybase is the old database system that we
use. It gets its information from the
mainframe and pushes it to Oracle and
OUsql the Exchange System
Current plans are to get rid of this database
in the near future.
Within 2-3 years we should only have Oracle,
LDAP, and SOONER.
How is the password changed?

The SupportTool calls scripts from a couple
of different places to change the NT
passwords; it also connects to a stored
procedure in Oracle to change the Oracle
password.
Exchange Passwords

Exchange passwords authenticate against
trusted NT domains (Admin, Academic,
Athletic, Sooner, et al)
Email Passwords

The POP email system authenticates
passwords against the new LDAP system
(Chewy).
Password Sources
Sybase
Oracle
Propagates to
Sooner
LDAP