TWiki> DICE Web>FinalProjectReport215 (revision 1)EditAttach

Final Report for Project 215 - Web Based Student Password Portal


The genesis of this project can be found in an enquiry from ISS at the end of July 2011 as to whether something could be done to streamline the process of creating and distributing the passwords of newly arrived students at the start of the academic year. In previous years, the passwords had been created manually, printed out and were then handed to the student when they visited the ISS office. This resulted in large queues forming outside the ISS office at the start of term and frustration for some students as delays in the creation of their accounts could result in the student being sent away empty handed after a considerable wait.

It was suggested by Simon Wilkinson that the introduction of the new Prometheus infrastructure for managing accounts meant that it would be fairly simple to set up a web based interface which students would authenticate to using their EASE password (which they receive early in the matriculation process) and which would allow them to enter their initial DICE password. Assuming that the entered password passed suitability and security checks, the interface would then communicate with a backend server via remctl to actually set the password. Though straightforward, the project would require recent knowledge of writing Cosign authenticated CGIs and the internal workings of Prometheus and since I possessed both, I was requested to begin work on the project. Given the very tight timescales (the project had to be completed by the beginning of the new academic year in the middle of September) the normal steps of creating a project proposal and then bringing it to the development meeting for ratification were carried our retrospectivly and work began on the project immediately.


As it turned out, developing the password portal turned out to be very nearly as simple and problem-free as had been predicted, thanks in no small part to the detailed instructions on the IS web site on how to set up an EASE authenticated site and the efforts of Toby Blake in setting up the backend server and the remctl channel. Sone last minute enhancements were added (for instance, a new Prometheus conduit was created to mail the user when their account was created asking them to log into the portal and set their password) and the project was completed within the required timeframe and was used successfully for student password allocation for the new academic year. The portal was subsequently modified to allow all users, not just students to create their initial passwords.

A New Purpose

In October 2011, it was discovered that the School's SSH servers had been compromised for some time and that there was a very strong possibility that many users' DICE passwords were no longer secure. It was decided that the only sensible course was to require all DICE users to change their passwords. After a two week grace period where users would be able to log in using their current DICE passwords and change them, all accounts whose password had not changed during this period would be disabled and disabled users would be required to reactivate their account via some means. Given the difficulty of confirming a user's identify when communicating via email or the telephone, it was decided that the password portal should be repurposed to allow users to reactivate their accounts. Given the strong possibility that against all recommendations, some users might have set their DICE and EASE passwords to the same thing, it was agreed that EASE authentication alone would not be sufficient in this instance and some other means of proving identity would be required. The proof finally agreed on was the last five digits of their ID card number (for students) or their staff ID (for staff). The password portal was rewritten to accept and check this additional authentication via a conduit to the School database. This work was completed within the two week grace period.

Future developments

The account reactivation portal will hopefully not be needed again but the student password portal should continue to prove useful in years to come. This portal could easily be modified to provide a generalised means for users to change their passwords and for users who have forgotten their DICE password but recall their EASE one to generate a new DICE password. One task which should certainly be carried out is to bring the password quality checking of the student portal into line with that of the account reactivation portal (the latter uses the crack lib library to check the quality of the new password before it passes it on to the backend server, the former relies on the backend server to do the checking). This should be no more than a days work and will be added to the Services Unit's list of tasks to accomplish.

Time Taken

Because of the ad-hoc way in which the project was started, The effort spent at the beginning of the project was rolled into the general Services Unit mini-project bucket. the total time formally allocated to project 215 is 1.6 FTE weeks but FTE effort for unit project work in T2 2011 was 3.5 weeks and I would estimate that at least 2.5 weeks of that was spent working o the the portal. A reasonable estimate for the total effort is therefore 4.1 FTE weeks.

-- CraigStrachan - 08 May 2012

Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r1 - 08 May 2012 - 14:41:45 - CraigStrachan
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies