Where the ServiceNow password generator can make life easier

General Add comments
by:

Providing passwords to existing or new users can be time consuming.  If you need to provide a new password to one user you have to manually update the user record with a new password and add this password to a separate email which will be send to the end-user.  When you have to update multiple users with new passwords this will take even more time.

By reusing the password generator time can be saved by automating some of the actions mentioned above.

Password generator

The password generator is part of the “Self Service Password Reset” plugin and can be used by the end-user to request a password reset that is automatically handled by the system. When this request is made by the user the generator creates a password based on an algorithm after which it is send to the end-user by email.

There can be numerous ways to trigger this password generator. In this blog I will focus on one of them.

On the user record (sys_user table) the field “Password needs reset:” can be used as a trigger to generate a new password and to send out an email to the user with this new password. When the mentioned field is used as a trigger the user is also requested to adjust this generated password to a new one when logs in with this password.

New implementations and user maintenance

When a new implementation is planned that will be used by a large amount of new users you can use the password generator to lower the amount of work for the support team. By mass-updating the field “Password needs reset:” on the new user records, emails with the new passwords are automatically send by the system. This replaces the manual updating of the password field on all user records and also the sending of the emails with the credentials to all new users.

Some customers do not allow the use of the “Forgot your login credentials?” because of misuse and related security issues.
This means that existing end-users will have to contact the support desk to reset a password. To lower the amount of work that comes with these requests the support team can use the password generator. For each request they can use the “Password needs reset:” field in combination with the provided script to prevent the manual update of the password field on the user records with a new password. Also no separate email will have to be created by the support team member with the new credentials.

Passwords and compliancy

Passwords are from a compliancy perspective not that exiting to audit. Most tools deal with password rules that can be enforced to meet a specific set of characters that can be easily checked. In ServiceNow you can enable this by activating the ValidatePassword and ValidatePasswordStronger scripts.
These are by default inactive and can be found under System Definitions > Installation Exits.

More interesting is the process around the providing of these passwords. Often users are provided with a default password that an Application Administrator creates for them. This is something like WELKOM123, WELKOM with the date behind it or another simple password.  These passwords are very risky because they are highly guessable. Also the Application Administrator knows the password that he has provided to the end user. If he wants he could harm the organization by logging in with the user’s credentials and execute unauthorized actions under the name of the user.

By using the password generator to provide passwords to new and existing users the above situation will not occur anymore. An auditor will also be very pleased whit this approach regarding the provisioning of passwords.

Script

The business rule script that can be used to trigger the password generator by the field “Password needs reset:” field is the following:

Condition:

current.password_needs_reset.changes(true)

Script:

[cc lang=”javascript”]
var pnr = new PasswordResetAJAX();
var currentuser = current.user_name
var useremail = current.email

pnr._resetPassword(currentuser, useremail);
[/cc]
If needed the default password reset notification that is send by the password generator can be adjusted so that it also reflects password creations that have not been triggered by the end user with the “Forgot your login credentials?” . This can be done under System Policy > Notifications

If you have any questions you can contact me on olivier.cramer@2e2.nl

Leave a Reply