Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
en:onboarding [2025/02/16 10:32] – [Password requirements: length] Webmaster VitaNetworksen:onboarding [2025/10/29 20:24] (current) – [Setting a new password / Unlocking your account] Webmaster VitaNetworks
Line 15: Line 15:
 ===== Password requirements: length ===== ===== Password requirements: length =====
  
-//How long?// It's best you don't know for sure, at least for the time being. It's recommended to choose a passphrase rather than a password i.e. a sentence. It will be long enough and easier to type. Though your password can include spaces, it's best you avoid them because the support for spaces in passwords varies across apps.+//How long?// It's best you don't know for sure, at least for the time being. It's recommended to choose a passphrase rather than a password i.e. a sentence. It will be long enough and easier to type. Although the directory service accepts spaces in passwords, it's best to avoid them as application support varies from one app to the next.
  
-//Across apps?// What do you mean?+//One app to the next? What do you mean?//
  
 ===== The Directory Service ===== ===== The Directory Service =====
Line 23: Line 23:
 The account we're talking about is commonly known as a domain account, or a directory [service] account. A directory service is a form of database but tuned specifically to store user credentials. Various services (or "apps") use the directory to get the user base that will be allowed to access the service. Directory accounts let you share data between apps and use a single username across all services/apps The account we're talking about is commonly known as a domain account, or a directory [service] account. A directory service is a form of database but tuned specifically to store user credentials. Various services (or "apps") use the directory to get the user base that will be allowed to access the service. Directory accounts let you share data between apps and use a single username across all services/apps
  
 +They're not just a name or address, they are long random identifiers that are rarely ever seen, even by administrators. Because of this, it's not possible to recover the data of a certain username by simply recreating it. In addition to that, accounts store cryptographic keys that are impossible to reproduce, and each app can further associate random data of the account to create their own unique identifier.
 ===== Setting a new password / Unlocking your account ===== ===== Setting a new password / Unlocking your account =====
  
 As mentioned, you're account is locked while it has temporary credentials so you will not be allowed to continue until you set permanent credentials. Most apps and services will inform you about this or fail silently but a few highly secure apps that are allowed to write to the directory will offer you the chance to change your password in the spot. We'll go briefly over a few of them; please note that there are many others not listed here. Whatever works for you is fine. As mentioned, you're account is locked while it has temporary credentials so you will not be allowed to continue until you set permanent credentials. Most apps and services will inform you about this or fail silently but a few highly secure apps that are allowed to write to the directory will offer you the chance to change your password in the spot. We'll go briefly over a few of them; please note that there are many others not listed here. Whatever works for you is fine.
 +
 +==== About passwords' storage ====
 +
 +Let's review quickly what it a hash because it's needed: simply put is a very complex mathematical operation that's considered a one-way operation: it's irreversible. Other characteristics of them are that they always result in the same length, regardless of input and it only takes one character it doesn't matter if it's near the beginning, middle or end of it to output a completely different string.
 +
 +As it's best practice and the default in Active Directory, passwords are never stored in the directory, what is stored is the hash of the chosen password, this is created through the means used to set it. When authenticating this is done again thus another hash is created which is much easier to process. If it matches the directory's, the user is granted access.
 +
 +It's impossible to obtain a forgotten or lost password, it's only possible to change it. The directory does keep a history of hashes, but it doesn't always enforce not to reuse them of if it does, how far it should go.
 +
  
 ==== Antipostal.com Webmail ==== ==== Antipostal.com Webmail ====
Line 37: Line 47:
 ADFS has a simple password update app perfect for accounts that had their password reset. ADFS has a simple password update app perfect for accounts that had their password reset.
  
-==== Your own system ====+==== Your own desktop ====
  
 This only applies for users logged in on computers joined to the Active Directory domain, for which they need to be connected from which they can "physically" reach the "Active Directory servers" (i.e. Domain Controllers) or that can reach the Domain Controllers through a tunnel. This only applies for users logged in on computers joined to the Active Directory domain, for which they need to be connected from which they can "physically" reach the "Active Directory servers" (i.e. Domain Controllers) or that can reach the Domain Controllers through a tunnel.
  
 +Integration compatibility\\ 
 +Windows ((An SKU with the capability of participating in Active Directory domains is needed, typically these are Serve editions or those with monikers such as: "Professional", "Pro", "Enterprise", "Industry Enterprise", "Industry Pro", etc.))\\ 
 +Windows 8.1 or newer\\ 
 +Windows Embedded 8.1 or newer\\ 
 +Windows Server 2012 R2 or newer\\ 
 +
 +macOS\\ 
 +macOS is compatible since Snow Leopard (Mac OS X 10.6 "Snow Leopard") up to current macOS.\\ 
 +macOS stopped being supported on 10.15 due to its closed, locked down nature. However, up to 10.14 support for it is still offered.\\ 
 +
 +Linux\\ 
 +While not supported due to its capability of endless configurations, some readily available distributions support Active Directory out of the box and integrate transparently with the system. Changing one's password from Linux is no possible though but you might get different results. The tested (and recommended) are:\\ 
 +Red Hat Enterprise Linux 8 or later\\ 
 +Debian 11 or later\\ 
 +[[https://zorin.com/os/pro/purchase/|Zorin OS]]\\ 
 +Fedora 30-ish.
 === If you're not logged in === === If you're not logged in ===
  
-Log in using your temporary credentials. Your systems automatically will ask you to set new credentials.+Log in using your temporary credentials. Your system automatically will ask you to set new credentials.
  
 === If already logged in === === If already logged in ===