Verifying user passwords during authentication

You can enable password verification so that a Notes® user can authenticate with a server only after providing the correct password that is associated with the user ID.

If an unauthorized user obtains an ID and learns the ID's password, the owner of the ID can use password verification to change the password and prevent the unauthorized user from continuing to use the ID to authenticate with servers. The next time the unauthorized user tries to use the ID with the old password to access a server, the server verifies the password, determines that the password entered does not match the new password, and denies the unauthorized user access to the server. Without password verification, an unauthorized user could use an ID and password even after the user changed the password on the ID, since, by default, the password is used only to decrypt the ID file and is not verified against the password stored in the Domino® Directory. If you set up password verification, require users to change the passwords on their IDs on a regular basis. As the time for the required password change approaches (after two-thirds of the current change interval has passed, but at a minimum of two days remaining), a prompt appears to remind the user to change the password. When users change the password, the current ID and Person document are updated with the new password.

If a user has multiple ID files, the user change the password in each of them to match the new password. You cannot use password verification on ID files that contain multiple passwords.

Each time a user changes a password, the user must specify a unique password. Notes® keeps a record of up to 50 passwords that have been previously used. If you enable password history checking (through the use of a security settings document), you can configure the number of new passwords that must be used before a given password can be reused.

An expired password doesn't prevent a user from reading encrypted mail or creating new signed documents on local replicas; however, without specifying a new password, users cannot access databases on servers.

Note that password verification during authentication will not work for Internet users because they do not have Notes® user IDs (unless their Notes® and Internet passwords have been synchronized). If Notes® and Internet passwords are synchronized, then any changes to Notes® password settings may affect Internet passwords.

CAUTION: Do not enable password expiration for users whose ID files are locked with Smartcards. Otherwise, it is possible that a user's ID could be locked out until the password digest can be cleared.

The Administration Process and password verification

Password verification requires the Administration Process to update documents in the Domino® Directory. When you enable password verification for a user, the Administration Process creates a Set Password Information request in the Administration Requests database. Domino® carries out this request according to the setting in the Interval field in the Administration Process section of the Server document. This request enables password-checking by entering values in the Check password, Required change interval, and Grace period fields in the Administration section of the user's Person document.

The first time the user logs onto a server that requires password verification, the Administration Process generates a Change User Password in Domino Directory request in the Administration Requests database. This request enters a corresponding hash of an RSA public key, which is derived from the hash of the Notes® password and some other secret information stored in the ID file, in the Password digest field in the Administration section of the Person document. It also records the date the user provided the password in the Last change date field in the Administration section of the Person document. To authenticate with servers that are enabled for password verification, the user must provide the password that corresponds to the digest.

From then on, when a user changes a password, the Administration Process generates a new Change User Password in Domino Directory request in the Administration Requests database. This request updates the Password digest and Last change date fields in the Person document. Note that if you modify the change interval or grace period after you enable password verification, the Administration Process must update the fields in the Person document and then user must change the password for the change to take effect.

Required change intervals and grace periods

You can set up a server to verify users' passwords during authentication without requiring them to change their passwords. If you require password changes, you can specify a grace period that indicates the length of time after the change interval expires before users are locked out of the server. If a required change interval expires before the user changes the password, the user cannot authenticate with servers that require password verification until the user creates a new password. If a grace period expires and the user still hasn't changed the password, the user can't authenticate until the administrator manually deletes the data in the Password digest field in the Person document and the user creates a new password. If an unauthorized user changes the password on an ID before the authorized owner of the ID does, the authorized owner cannot authenticate and sees this message:

You have a different password on another copy of your ID file and you must change the password on this copy to match.

In this case, delete the entry in the Password digest field, and ask the authorized user to log on immediately and enter a new password.

CAUTION: For users whose ID files are locked with Smartcards, set the required change interval and grace period to 0. Otherwise, it is possible that a user's ID could be locked out.