Changing Password in MLS

Discussions around using and interfacing with the Church MLS program.
russellhltn
Community Administrator
Posts: 28500
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Tue Aug 26, 2008 1:00 am

Mikerowaved wrote:I believe what he's saying is, when an admin creates a new account or changes a user's password, he selects a password for it. If a user never changes their password from that, the admin will know it.


Bingo! :) I realize there are ways this can be avoided, such as always turning over the keyboard to the end user for password entry, but I see MLS's current setup as less secure then standard practice.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.

User avatar
aebrown
Community Administrator
Posts: 15123
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Tue Aug 26, 2008 4:05 am

RussellHltn wrote:So MLS doesn't require the password to be changed when it's entered by the Admin? So it's possible that the Admin knows everyone's password?

I'd like to add a suggestion for MLS: add a "force password change on next login" check box like Windows does. Make it on by default when a new password is entered by the Admin.


As an MLS administrator, the only time I create a user account is when the account owner is present. I go to the Add User link in System Options, and then I select the member for them. Then I have them sit at the computer and select a username (I give them guidance on our standard naming convention), and then they enter their password twice (again, I give them guidance as to the MLS password requirements). I then take over, setting their permissions, using this opportunity to explain what they will be able to do, and I save.

I never ever enter a password for a person. If they have forgotten their password, I meet with them at the administrative computer, edit their user, and let them enter their new password.

Personally, I don't see any reason to create a user unless they are present. Thus I don't see why MLS would need a "force password change on next login" feature. That just forces the administrator to communicate a temporary password, and if the administrator's scheme for temporary passwords were known, it would create a security hole (admittedly quite minor), since at present MLS provides a list of usernames to anyone who has physical access to the computer.

russellhltn
Community Administrator
Posts: 28500
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Tue Aug 26, 2008 10:49 am

Alan_Brown wrote:As an MLS administrator, the only time I create a user account is when the account owner is present.


Yes, there are ways to work around the problem. With the check box you can uncheck it and continue to use your existing methodology.

But this change will encourage wards that don't follow your workflow to be more secure.

The hole created is very small. It would require 1) that the password assigned be known or guessed without locking them out of MLS and 2) that no one gets suspicious that the assigned password does not work (because a new password was required when the bad guy used it.) This is no different then how new accounts are handled in a corporate environment.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.

User avatar
aebrown
Community Administrator
Posts: 15123
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Tue Aug 26, 2008 12:30 pm

RussellHltn wrote:Yes, there are ways to work around the problem. With the check box you can uncheck it and continue to use your existing methodology.

But this change will encourage wards that don't follow your workflow to be more secure.


Actually, any ward that is not following my workflow (or something very similar) is violating current Church policy, as well as reasonable security practices. So if an administrator assigns passwords, he is not "working around the problem" -- he is creating a problem by blatant disregard for policy. Remember that the Using MLS--Ward and Branch Instructions say: "User passwords should not be shared with others." Clearly a password is to be known only by the account owner.

RussellHltn wrote:The hole created is very small. It would require 1) that the password assigned be known or guessed without locking them out of MLS and 2) that no one gets suspicious that the assigned password does not work (because a new password was required when the bad guy used it.) This is no different then how new accounts are handled in a corporate environment.


Corporate environments don't typically deal with a single application installed on a shared computer, so it's not really the same situation. Besides, even if someone gets suspicious after unauthorized entry, the confidential information has already been leaked, so knowing that it happened didn't prevent a thing.

russellhltn
Community Administrator
Posts: 28500
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Tue Aug 26, 2008 12:57 pm

Alan_Brown wrote:Actually, any ward that is not following my workflow (or something very similar) is violating current Church policy, as well as reasonable security practices.


I can see it that way, but I don't see much of anything that guides the novice admin in that direction.

Others may interpret "User passwords should not be shared with others" as prohibiting users from sharing with one another, not from the Admin (who has access to the entire machines anyway) from assigning an initial password. Keep in mind that in the IT world, assigning initial passwords is a common practice.

There is always the possibility that the admin and new user will find it difficult to meet at the ward computer at the same time. It's more likely to happen in wards with large boundaries. One could argue that "Here's your login and password, please change it as soon as you log in" to be valid. However, there's nothing to force the new user to change their password.

My suggestion simply adds more tools to the toolbox. I don't see it in any way creating a bigger problem. If the MLS developers disagree, then they can redesign the screen and help file to make it clearer that the admin is to hand over the keyboard at that point.

I think we both agree that the case of the admin assigning the password and the user not changing it is a problem that probably should be addressed in some way.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.

User avatar
aebrown
Community Administrator
Posts: 15123
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Tue Aug 26, 2008 1:07 pm

RussellHltn wrote:My suggestion simply adds more tools to the toolbox. I don't see it in any way creating a bigger problem. If the MLS developers disagree, then they can redesign the screen and help file to make it clearer that the admin is to hand over the keyboard at that point.


I certainly agree that your suggestion improves security in units that have a practice of the administrator setting the password and telling it to the user. I still think that's not a good practice, but in cases where that's done, forcing a password change is a distinct improvement.

RussellHltn wrote:I think we both agree that the case of the admin assigning the password and the user not changing it is a problem that probably should be addressed in some way.


Absolutely!

lajackson
Community Moderators
Posts: 9451
Joined: Mon Mar 17, 2008 9:27 pm
Location: US

Postby lajackson » Tue Aug 26, 2008 4:58 pm

RussellHltn wrote:So MLS doesn't require the password to be changed when it's entered by the Admin? So it's possible that the Admin knows everyone's password?

I'd like to add a suggestion for MLS: add a "force password change on next login" check box like Windows does. Make it on by default when a new password is entered by the Admin.


Wow. I missed all the fun while I was at work today. [grin]

How would MLS know if the Admin changed the password, and not an Admin? I agree with the concept, but as an Admin, I would not want to have to change my password every time I changed it because I entered it as an Admin.

I like the idea of creating the login while the user is there and having him type in his password. If the user is not there, I have no problem creating a login and telling him to change his password when he logs in. As Admin, I cannot tell if he does or not (unless I try his old password, which I would not keep anyway).

And as an Admin, I cannot see anyone else's password. I can change them, or have them change them, but I cannot tell what they were. I think that is secure enough.

What actually surprises me is that no one has asked how I sprung a clerk two hours away into MLS so that he could change his password.

User avatar
aebrown
Community Administrator
Posts: 15123
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Wed Aug 27, 2008 3:19 pm

lajackson wrote:How would MLS know if the Admin changed the password, and not an Admin? I agree with the concept, but as an Admin, I would not want to have to change my password every time I changed it because I entered it as an Admin.


There is no concept of the Admin. So any reference to "the Admin" is really a reference to "any Admin."

But in any case, what is being discussed is a new feature for MLS whereby as a User is edited, there would be an optional checkbox labeled something like "User must change password at next login." You would not be required to check that box (and most certainly would not) when you change your own password.

lajackson wrote:I like the idea of creating the login while the user is there and having him type in his password. If the user is not there, I have no problem creating a login and telling him to change his password when he logs in. As Admin, I cannot tell if he does or not (unless I try his old password, which I would not keep anyway).


This is indeed how MLS works now. The proposed feature would give the Admin a way to make sure that the user would indeed change their password when they next logged in.

lajackson wrote:What actually surprises me is that no one has asked how I sprung a clerk two hours away into MLS so that he could change his password.


Your initial post really didn't tell us that you were two hours away, so we could easily assume you were going to meet the user at the computer. So now that we know that you weren't present, I'll take the bait: How did you get someone into MLS remotely when they had forgotten their password?

lajackson
Community Moderators
Posts: 9451
Joined: Mon Mar 17, 2008 9:27 pm
Location: US

Postby lajackson » Wed Aug 27, 2008 9:27 pm

Alan_Brown wrote:... what is being discussed is a new feature for MLS whereby as a User is edited, there would be an optional checkbox

Your initial post really didn't tell us that you were two hours away, so we could easily assume you were going to meet the user at the computer. So now that we know that you weren't present, I'll take the bait: How did you get someone into MLS remotely when they had forgotten their password?


I am losing my marbles. I missed the part about the checkbox. Makes sense now, except that I probably would never use it.

And no, I forgot to mention the distance to the branch. I have been dealing with the distances for so long that I forget the next building is 45 minutes away, the stake center is an hour away, and on up to 2 hours. Makes for an interesting operation when CHQ asks us to update 15 computers in a week.

This will no longer work, it seems, with MLS 2.9 but on all of our computers I have had my personal login as the STS equivalent, the stake clerk has had his personal login, and we have had a Stake login. The password for the Stake login is different for each unit, but the stake clerk and I know all of them.

On rare occasions, such as occurred this week, we will give a ward or branch clerk their Stake password so they can solve the problem. Then the stake clerk or I will visit the unit the next Sunday or so and change the password. This saves the unit from having to wait a week or two for one of us to get there.

With the advent of 2.9, it would appear that this aid will no longer be available. They will just have to wait, since neither the clerk no I will give out our own passwords.

billv-p40
New Member
Posts: 3
Joined: Mon Oct 08, 2007 6:42 am

Postby billv-p40 » Thu Aug 28, 2008 7:00 am

Doesn't the Ward Clerk have admin rights? You can still have a stake account and if you and the stake clerk are doing that much work on the ward machines, create an "out of unit member" on each ward's machine for your personal user.


Return to “MLS Support, Help, and Feedback”

Who is online

Users browsing this forum: No registered users and 1 guest