Wednesday, August 24, 2005

Multiple (Temporary) Passwords Per User ID

To the Microsoft Security Team: Here's a freebie for you.

Why not allow multiple passwords to be assigned to a single user id?

Now, I know what you're going to say: That just makes it easier to hack a password. Maybe so, but to the same degree that playing 2 numbers in the lottery makes it that much more likely that you'll win.

But, how many times have you needed to give someone a username/password to log into a system, but didn't intend for them to continue to use those credentials forever? I'm talking about throw-away passwords that would be time limited.

Here's how it would work: Consultant A needs to access your SharePoint machine as a user with administrative rights. You really don't want to do more work than you need to, so you add a temporary password to the SharePoint administrator's account that expires in 8 hours. This lets Consultant A do his work for that day, but you never revealed the actual password to them, so you're able to continue logging in tomorrow with the regular password, but they are not with the temporary password.