Is there a script (or can someone create one) that will rotate passwords for a particular user every two - three weeks? This would be an easy perl script to dump into CRON.

Maybe use a text file containing the passwords, contained in the script, or a mySQL database? That way the root/admin passwords are updated even if I don't have time to do it...

Thanks!

Do you want this script to automatically CREATE the password as well?

And what is it you exactly want to change? Member Password,
mySQL Password, Control Panel Password, FTP Password, etc...


Regards,
Ray

I want to have a file (either text based or database) that will automatically update passwords for any users I select. Maybe have a CRON job called username.pl or something. Username would be the actual username of the user.

For example, if I want to change the admin password every month then I would name the file admin.* and code in admin in the script so it knows which user to change password for. Then I would have a list of updated passwords that I can use every time the list changes.

I'm just trying to find a way to be lazy.... :D It wouldn't be hard to telnet into and change the passwords, but I like new features.

Thanks!

Wouldn't This Create some security holes?

Yes it does...


I would suggest have the scirpt make a random pass, and use sendmail to send the password to the user via email...

Yes there are security holes.

But even generating a password then mailing it via email has security
holes. If the email is not encrypted there is still a security hole there.

This is why it is a NO NO to send Credit Card Details VIA email.

The way to secure it would be to set the file off the document root, and
pull it in from that directory. If it is off the document root then it
will be harder for someone to get it.
If they get it does'nt matter at that point cause they are already
in anyways and
there are deeper issues to worry about then.

There are ways to make this secure.

You could make it this way:
Script generates a password, updates as needed. Emails the user
a secured link to retrieve there new password. Over the secured
https connection you in turn show the user their generated password.

But now you would think this can just be done by anyone that knows the URL and username.

However if you make it where they need to enter their old password
to view the new one you can secure it better. Also after the new password
has been viewed delete the temp file that holds the new password.

If they forget it they need to contact the server or site admin to get a new one.

There are ways to do it securly, but if you can do it by telnet you might
as well just do it that way.

Regards,
Ray

but if you can do it by telnet you might
as well just do it that way.


I hope you don't mean use your method via telnet, thats just as insane as sending a pw though email... Although email is random so usually harder to sniff, telnet on the other hand.....

I hope you don't mean use your method via telnet

Nope was commenting on what pitchford said in his second post.

Pitchford said:
It wouldn't be hard to telnet into and change the passwords, but I like new features.

And I would'nt do it using telnet if he has access using SSH it should
be changed that way instead.

Regards,
Ray

Ok cool.....



*Thinks of using telnet again*..... *Shutters*

Okay, so what would be the best method of doing this? Changing the password that is? I can always setup SSL on my server and change the password via httpd. Would this be safer?