NetIQ SecureLogin Provides Password Security Without End User Involvement

NetIQ SecureLogin can enhance the security and automation of internal or external web sites with strong passwords and frequent password changes without having to burden the end user.

Questions:

  •  Does your user base access websites that don’t enforce password policies?
  •  Do users often forget their password for the website and are calling the helpdesk?
  •  Would you prefer that users not know their password to the website, but have a random password that is complex, but still allows the user to have access?
  •  Do you wish that the website forced users to change passwords periodically?
  •  Do you want password complexity enforced on the site?

SecureLogin’s Password Policies Enforce Password Complexity

The password used will be as complex as required but won’t require the user to remember the password or (gasp) write it down. SecureLogin provisions and authenticates the user when they go to a website without prompting them for the password.

SecureLogin sets a random password for the user. It can be configured so the user can be allowed/disallowed to look at the existing password or prior password. The user would only have rights to look at the current and prior password if the environment configuration was configured to allow it. SecureLogin retains the current random password in an encrypted form for the user and automatically authenticates the users to the site.

Not only does the user not need to maintain their password, but the randomizing of the password provides a much more secure password than most users would supply. The randomized password will comply with the complex password policy requirements.

When a password hasn’t been changed for over 45 days, or whatever duration you specify, it redirects to the change password page and automatically sets a random password for the user. An example of a password generated by this script could be “7aPx@omhAJ”

SecureLogin Example Webscript

Note that this is not a complete script pasted directly below. For the full script go to the bottom of the page. Please read the comments within the script to familiarize yourself with the functionality and comments. Also, if you copy and paste the full script, remember that some of the comment lines may need additional remark “# / pound” symbols so the comment isn’t executed when the script runs.


#============================================================
# EXE/ID: accounts.google.com
# Name: Gmail
# Type: Web
# Version: 1
# Created By: Fred Patterson

# Purpose: web script example of password policy enforcement, random password generation, and automated password change to a random password after 45 days

# example of password complexity: 7aPx@omhAJ<yUpd_R-p4fX;I1

# To use the script you need a credential called “pwdchangeTime” with the MS time format. Example 1409007708.

# Default is to change the password every 45 days. The example time format listed above would set the password to be expired on the initial login.

# password policy needs to be created and called gmailPwdPolicy

# Thoroughly test script across a handful of workstations prior to deploying to a large number of users.

# This script is to be used as a guide in building out a solution.
#=============================================================
###########################################################
## BeginSection: “Evaluate Password age” — Custom script
## Site line: We are specifying that the site has to be mail.google.com/mail. As most people use their mail frequently, this is a good page to check password age as it would be hit often

## MatchURL line: looks for anything for the mail.google.com being in the URL.

## We use the Subtract and divide commands to calculate how many days since the password was last changed. The value 86400 is the number of seconds in a day.

## ?CurrTime(System) is getting the number of seconds since 1970, based on MS Windows time parameters. This should work regardless of the directory being used to store data.

If it has been more than 45 days, we will direct the user to the change password site

###########################################################

Site “mail.google.com/mail” -initial

MatchURL -regex “mail.google.com”

Set ?changetime $pwdchangeTime

Set ?current ?CurrTime(system)

Subtract ?Current ?changetime ?timea

Divide ?timea 86400 ?timeb

# Uncomment the MessageBox line below to see the values of the variables

#MessageBox current time: ?Current —- password change time: ?changetime —– timea: ?timea —– timeb: ?timeb

If ?timeb Gt 45

ClearSite Gmail

GoToURL “https://accounts.google.com/b/0/EditPasswd”

EndIf

EndScript

########################################################

## BeginSection: “Change Password” –Custom Script

## RestrictVariable command allows for the password to conform to the password policy. When a user initially sets their password on first login, they

## don’t have to meet the complexity. However, if the pwdchangeTime value is out by default over 45 days, it will force the random password change immediately

## For troubleshooting purposes we allow for the LastPasswordChangeTime to be available so that it can easily be read as to what date the password was last changed

## After the password change is completed, we redirect them to their mail so that they will not attempt to change their password. If they go to the accounts password page to manually change their password, the script will detect this and automatically direct them to and automatically change their password again.

##########################################################

Site “accounts.google.com/b/0/EditPasswd”

MatchURL -regex “accounts.google.com/b/0/EditPasswd”

## Modify the below MessageBox line to have it conform to your policies and guidelines.

MessageBox “Only corporate gmail accounts can be accessed from this computer. The System is changing the Password for gmail to a random password. Do not interfere in this process or it may lead to you not being able to login. The single sign on software will automatically log you in to the gmail system upon successful authentication”

RestrictVariable $Passwordnew gmailPwdPolicy

Set $PasswordBackup $Password

Type $Password #1

ChangePassword $Passwordnew Random

Type $Passwordnew #2

Type $Passwordnew #3

Submit

Set $Password $Passwordnew

Set $pwdchangeTime ?CurrTime(system)

ConvertTime ?CurrTime(system) ?LastPwdChangeTime

Set $LastPwdChangeTime ?LastPwdChangeTime

GoToURL “https://mail.google.com/mail”

MessageBox “The password change is complete. Thank you, you may continue accessing your mail”

endsite


Prerequisites For The Script

Install NetIQ SecureLogin into a test environment. Familiarize yourself with the product. There needs to be a password policy created. See the below image as an example. Note that the name of the policy matters as it is called in the script in the line: RestrictVariable $Passwordnew gmailPwdPolicy.

gmail-pwd-policy

The credential for gmail must include the property pwdchangeTime with a value similar to: 1409007708. This value is the number of seconds since Jan 1, 1970. If you want to make sure that the password is randomized on the initial authentication, make sure the value represents a date older than 45 days, or whatever the number of days you specify. This value would be set on the container object to be effective for all users under that container.

pwdchangeTime

 

Make sure you are using a supported web browser and version based on the SecureLogin documentation.

Additional Information

Below is an image showing an example of what the credentials would look like for an existing user. There is no option to view the passwords for the administrator logged in when taking this screen-shot. If the user has permissions to view their credentials, they will have the option to see the password values if it is enabled in the SecureLogin properties. It does show the last time the password was changed was Dec 19. It also shows that same value in the MS time format of the number of seconds since Jan 1, 1970. The PasswordBackup will be the value of the prior password to it being changed. We also store what we are attempting to change the password to. We store these values in case the process is ever interrupted and the user needs to login manually with the old password, assuming the old password is still valid as the new password wasn’t actually set for the user.

gmail-credential-exampleIf you are looking to use this for a different site you will want to look at modifying the following variables or commands:

Site

MatchURL

ClearSite

GoToURL

RestrictVariable

Type:   With the Type command it will depend on the website and if it requires the old password or not. See the Application Definition guide for more information on the various commands, within the NetIQ SecureLogin Online Documentation.

Full Web Script

Due to word wrapping enforcement with this document, the script will need to have a few minor changes, primarily in the comment section. Make sure that there is a pound sign “#” in front of each line in the comment section.

#=========================================================

# EXE/ID: accounts.google.com
# Name: Gmail
# Type: Web
# Version: 1
# Created By: Fred Patterson

# Purpose: web script example showing password policy enforcement, random password generation, and automated password change to a random password after 45 days

# example of password complexity: 7aPx@omhAJ<yUpd_R-p4fX;I1

# To use the script you need a credential called “pwdchangeTime” with the MS time format. Example 1409007708.

# Default is to change the password every 45 days. The example time format listed above would set the password to be expired on the initial login.

# password policy needs to be created and called gmailPwdPolicy

# Prior to deploying in a production environment, thoroughly test the script across several pilot and lab workstations prior to deploying to a large number of users.

# This script is to be used as a guide in building out a solution.

#==========================================================

## BeginSection: “Login Form” — default from Web Wizard

Site “Gmail” -initial

DebugPrint “Conducting Match on login form Gmail”

MatchForm #1 -name “”

MatchField #1:17 -type “email” -name “Email”

DebugPrint “Matched Field ‘Email'”

MatchField #1:18 -type “password” -name “Passwd”

DebugPrint “Matched Field ‘Passwd'”

MatchField #1:19 -type “submit” -name “signIn”

DebugPrint “Matched Field ‘signIn'”

EndSite

DebugPrint “Successfully matched login form Gmail”

SetPrompt “Email”

FocusInput #1:17

TextInput #1:17 -value “$username”

DebugPrint “Performed entry action TextInput $username into control id#1:17”

SetPrompt “Password”

FocusInput #1:18

TextInput #1:18 -value “$password”

DebugPrint “Performed entry action TextInput $password into control id#1:18”

SetPrompt “Please edit your login variables.”

FocusInput #1:19

PressInput #1:19

DebugPrint “PressInput action performed”

EndScript

## EndSection: “Login Form”

## BeginSection: “Login Form” — default from web wizard

Site “Gmail” -recent 5000

DebugPrint “Conducting Match on login form Gmail”

MatchForm #1 -name “”

MatchField #1:17 -type “email” -name “Email”

DebugPrint “Matched Field ‘Email'”

MatchField #1:18 -type “password” -name “Passwd”

DebugPrint “Matched Field ‘Passwd'”

MatchField #1:19 -type “submit” -name “signIn”

DebugPrint “Matched Field ‘signIn'”

EndSite

DebugPrint “Successfully matched login form Gmail”

if -exists $username

Displayvariables $username $password

Endif

SetPrompt “Email”

FocusInput #1:17

TextInput #1:17 -value “$username”

DebugPrint “Performed entry action TextInput $username into control id#1:17”

SetPrompt “Password”

FocusInput #1:18

TextInput #1:18 -value “$password”

DebugPrint “Performed entry action TextInput $password into control id#1:18”

SetPrompt “Please edit your login variables.”

FocusInput #1:19

PressInput #1:19

DebugPrint “PressInput action performed”

EndScript

## EndSection: “Login Form”

## BeginSection: “Login Form” — default from web wizard

Site “Gmail” -subsequent

DebugPrint “Conducting Match on login form Gmail”

MatchForm #1 -name “”

MatchField #1:17 -type “email” -name “Email”

DebugPrint “Matched Field ‘Email'”

MatchField #1:18 -type “password” -name “Passwd”

DebugPrint “Matched Field ‘Passwd'”

MatchField #1:19 -type “submit” -name “signIn”

DebugPrint “Matched Field ‘signIn'”

EndSite

DebugPrint “Successfully matched login form Gmail”

MessageBox “Do you wish to re-login?” -YesNo ?Result -DefaultNo

If ?Result Eq “No”

EndScript

EndIf

SetPrompt “Email”

FocusInput #1:17

TextInput #1:17 -value “$username”

DebugPrint “Performed entry action TextInput $username into control id#1:17”

SetPrompt “Password”

FocusInput #1:18

TextInput #1:18 -value “$password”

DebugPrint “Performed entry action TextInput $password into control id#1:18”

SetPrompt “Please edit your login variables.”

FocusInput #1:19

PressInput #1:19

DebugPrint “PressInput action performed”

EndScript

## EndSection: “Login Form”

###########################################################

## BeginSection: “Evaluate Password age” — Custom script

## Site line: We are specifying that the site has to be mail.google.com/mail. As most people use their mail frequently, this is a good page to check password age.

## MatchURL line looks for anything for the mail.google.com being in the URL.

## We use the Subtract and divide commands to calculate how many days since the password was last changed. The value 86400 is the number of seconds in a day.

## ?CurrTime(System) is getting the number of seconds since 1970, based on MS Windows time parameters

## If it has been more than 45 days, we will direct the user to the change password site

###########################################################

Site “mail.google.com/mail” -initial

MatchURL -regex “mail.google.com”

Set ?changetime $pwdchangeTime

Set ?current ?CurrTime(system)

Subtract ?Current ?changetime ?timea

Divide ?timea 86400 ?timeb

# Uncomment the MessageBox line below to see the values of the variables

#MessageBox current time: ?Current —- password change time: ?changetime —– timea: ?timea —– timeb: ?timeb

If ?timeb Gt 45

ClearSite Gmail

GoToURL “https://accounts.google.com/b/0/EditPasswd”

EndIf

EndScript

##########################################################

## BeginSection: “Change Password” –Custom Script

## RestrictVariable command allows for the password to conform to the password policy. When a user initially sets their password on first login, they don’t have to meet the complexity. However, if the pwdchangeTime value is out by default over 45 days, it will force the random password change immediately

## For troubleshooting purposes we allow for the LastPasswordChangeTime to be available so that it can easily be read as to what date the password was last changed

## After the password change is completed, we redirect them to their mail so that they will not attempt to change their password. If they go to the accounts password

##page to manually change their password, the script will detect this and automatically direct them to and automatically change their password again.

##########################################################

Site “accounts.google.com/b/0/EditPasswd”

MatchURL -regex “accounts.google.com/b/0/EditPasswd”

## Modify the below MessageBox line to have it conform to your policies and guidelines.

MessageBox “Only corporate gmail accounts can be accessed from this computer. The System is changing the Password for gmail to a random password. Do not interfere in this process or it may lead to you not being able to login. The single sign on software will automatically log you in to the gmail system upon successful authentication”

RestrictVariable $Passwordnew gmailPwdPolicy

Set $PasswordBackup $Password

Type $Password #1

ChangePassword $Passwordnew Random

Type $Passwordnew #2

Type $Passwordnew #3

Submit

Set $Password $Passwordnew

Set $pwdchangeTime ?CurrTime(system)

ConvertTime ?CurrTime(system) ?LastPwdChangeTime

Set $LastPwdChangeTime ?LastPwdChangeTime

GoToURL “https://mail.google.com/mail”

MessageBox “The password change is complete. Thank you, you may continue accessing your mail”

endsite