Results 1 to 7 of 7
  1. #1
    Join Date
    Jul 2003
    Posts
    8

    Unanswered: change password at first logon

    Hi,


    As a security manner, we want new users to change password at first logon.
    We have a solution to force users which have "passwd expiration" > 0 changing their password at first logon. And this work fine.

    When users with "passwd expiration" = 0, we can not automatically force the users to change password at first logon.

    Many thanks for all suggestions or ideas ?

  2. #2
    Join Date
    Mar 2001
    Location
    Lexington, KY
    Posts
    606
    If I recall correctly expiration = 0 means it never expires?

    Can you change the people with expiration = 0 to be > 0?

    This can be done with:
    sp_modifylogin "all overrides", @option="passwd expiration", @value="something greater than 0"

    What is the soution to force the users with > 0?

    There is the option, in ASE 12.5, to use a login trigger.

    The login trigger fires *after* they have logged in, so you can't use it to immediately change them. It would be complex, but you could write a login trigger to set their expiration to be > 1 then set it back to 0 after they have changed it.
    Thanks,

    Matt

  3. #3
    Join Date
    Sep 2002
    Location
    Hong Kong
    Posts
    159
    An alternative to a login trigger is to set the pwdate older than the password expiration time.


    sp_configure 'allow updates', 1
    go
    update master..syslogins set pwdate = '19000101' where name = <login name>
    go
    sp_configure 'allow updates', 0
    go

  4. #4
    Join Date
    Jul 2003
    Posts
    8
    Hi,

    If users with "passwd expiration" > 0,
    we set the pwdate = "number of passwd expiration backward from today" when we create them first time.

    eg. If user with "passwd expiration"=60
    then
    pwdate=dateadd(day, -60, GETDATE())

    And the user will receive a message from Sybase warning the password has expired. But you still can log in. If you do not change password, the password will expired and the account will be locked next time.


    But if user has "passwd expiration" = 0, this method does not work correctly.

  5. #5
    Join Date
    Sep 2002
    Location
    Hong Kong
    Posts
    159
    Originally posted by new_dbid
    Hi,

    But if user has "passwd expiration" = 0, this method does not work correctly.
    MattR is correct when he remembers passwd_expiration = 0 disables the password expiration feature for the login (or role etc)

    What your seeing is ASE performing the following algorithm when a login connects...

    declare
    @passwd_expiration int,
    @pwdate datetime

    select
    @passwd_expiration = passwd_expiration,
    @pwdate = pwdate
    from syslogins
    where suid = suser_id()

    if @passwd_expiration > 0
    begin

    if abs(datediff(dy, getdate(), @pwdate)) > @passwd_expiration
    begin
    Print "Password expired etc..."
    end

    end

  6. #6
    Join Date
    Jul 2003
    Posts
    8
    Hi,

    This mean that we can create a login trigger and assign to the users and this is only possible in 12.5.

    Thank you for all your comments. I appreciate that very much.

  7. #7
    Join Date
    Mar 2012
    Posts
    2

    Change password o first logon

    Hi,

    Can anybody tell how to force user to change the password on first logon?
    We are having option in 15.0.2 that ( sp_password policy "set".....), but how to do this in 12.5??
    How to deal with the option of login trigger? if it is working?
    Thanks for help..

    Regards
    Last edited by Rav02; 03-21-12 at 16:26.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •