Final Report for Project 215 - Web Based Student Password Portal

Inception

The genesis of this project can be found in an enquiry from ISS at the end of July 2011 as to whether something could be done to streamline the process of creating and distributing the passwords of newly arrived students at the start of the academic year. In previous years, the passwords had been created manually, printed out and then handed to the student when they visited the ISS office. This resulted in large queues forming outside the ISS office at the start of term and frustration for some students as delays in the creation of their accounts could result in the student being sent away empty handed after a considerable wait.

Simon Wilkinson suggested that the introduction of the new Prometheus infrastructure for managing accounts meant that it would be fairly simple to set up a web based interface which would allow students to authenticate using their EASE password (which they receive early in the matriculation process) and set their initial DICE password. Assuming that the entered password passed suitability and security checks, the interface would then communicate with a backend server via remctl to set the password. Though straightforward, the project would require recent knowledge of writing Cosign authenticated CGIs and the internal workings of Prometheus and since I possessed both, I was requested to begin work on the project. Given the very tight timescales (the project had to be completed by the beginning of the new academic year in the middle of September) the normal steps of creating a project proposal and then bringing it to the development meeting for ratification were carried out retrospectively and work began on the project immediately.

Development

As it turned out, developing the password portal turned out to be very nearly as simple and problem-free as had been predicted, thanks in no small part to the detailed instructions on the IS web site on how to set up an EASE authenticated site and the efforts of Toby Blake in setting up the backend server and the remctl channel. Sone last minute enhancements were added (for instance, a new Prometheus conduit was created to mail the user when their account was created asking them to log into the portal and set their password) and the project was completed within the required timeframe and was used successfully for student password allocation for the new academic year. The portal was subsequently modified to allow all users, not just students to create their initial passwords.

A New Purpose

In October 2011, it was discovered that the School's SSH servers had been compromised for some time and that there was a very strong possibility that many users' DICE passwords were no longer secure. It was decided that the only sensible course was to require all DICE users to change their passwords. After a two week grace period where users would be able to log in using their current DICE passwords and change them, all accounts whose password had not changed during this period would be disabled and disabled users would be required to reactivate their account via some means. Given the difficulty of confirming a user's identify when communicating via email or the telephone, it was decided that the password portal should be repurposed to allow users to reactivate their accounts. Given the strong possibility that against all recommendations, some users might have set their DICE and EASE passwords to the same thing, it was agreed that EASE authentication alone would not be sufficient in this instance and some other means of proving identity would be required. The proof finally agreed on was the last five digits of their ID card number (for students) or their staff ID (for staff). The password portal was rewritten to accept and check this additional authentication via a conduit to the School database. This work was completed within the two week grace period.

Future developments

The account reactivation portal will hopefully not be needed again but the student password portal should continue to prove useful in years to come. This portal could easily be modified to provide a generalised means for users to change their passwords and for users who have forgotten their DICE password but recall their EASE one to generate a new DICE password.

Time Taken

Because of the ad-hoc way in which the project was started, the effort spent at the beginning of the project was rolled into the general Services Unit mini-project bucket. The total time formally allocated to project 215 is 1.6 FTE weeks but FTE effort for unit project work in T2 2011 was 3.5 weeks and I would estimate that at least 2.5 weeks of that was spent working on the the portal. A reasonable estimate for the total effort is therefore 4.1 FTE weeks.

-- CraigStrachan - 08 May 2012


This topic: DICE > FinalProjectReport215
Topic revision: r3 - 01 Nov 2012 - 14:41:14 - CraigStrachan
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies