P/w based login?
September 16, 2009 9:56 PM Subscribe
I'm wondering if its possible to set my windows 7 log-in so that what account a person is logged into depends on what password is put in.
For example, if i have multiple accounts on my computer, I want to be able to specify which account i log into by what p/w is put in. Also, the system should also log-in someone as a guest when an incorrect (doesn't match any account) password is put in. It would also be nice if it could detect minor misspellings in an accurate p/w and reject those. For example, if the p/w was applejacks, and i accidentally type in applrjacks, i dont want my computer logging me in as a guest.
Is there any software that fits these criteria?
For example, if i have multiple accounts on my computer, I want to be able to specify which account i log into by what p/w is put in. Also, the system should also log-in someone as a guest when an incorrect (doesn't match any account) password is put in. It would also be nice if it could detect minor misspellings in an accurate p/w and reject those. For example, if the p/w was applejacks, and i accidentally type in applrjacks, i dont want my computer logging me in as a guest.
Is there any software that fits these criteria?
This can certainly NOT be done for many very very real security concerns.
I'm imagining this might be for a business or kiosk type implementation, but I'm not sure why you wouldn't just force the users to enter both the user name AND password, or allow them to elect to login as guest.
(If a user is able to memorize "their" password, they'd also know their user name, thus not compromising the available user names, which is what you appear to want.)
To do this specifically, open Start Menu and type Local Security Policy and hit enter.
Under Local Policies, go to Security Options.
Under Interactive Logon on the right, you'll see the pertinent options: "Do not display last user name", and if you don't want it displaying the user of a locked session: "Display user information when the session is locked".
posted by disillusioned at 11:15 PM on September 16, 2009
I'm imagining this might be for a business or kiosk type implementation, but I'm not sure why you wouldn't just force the users to enter both the user name AND password, or allow them to elect to login as guest.
(If a user is able to memorize "their" password, they'd also know their user name, thus not compromising the available user names, which is what you appear to want.)
To do this specifically, open Start Menu and type Local Security Policy and hit enter.
Under Local Policies, go to Security Options.
Under Interactive Logon on the right, you'll see the pertinent options: "Do not display last user name", and if you don't want it displaying the user of a locked session: "Display user information when the session is locked".
posted by disillusioned at 11:15 PM on September 16, 2009
I don't know that it would be impossible to program something like this. After all Novel changes the windows log on screen. You could avoid caching credentials by simply testing the password with all the different users and logging on with whatever one worked.
I doubt anyone would have done so, though, because what's the point? If you can memorize the password, you can also memorize a username.
Looking around, it looks like in windows XP, you just had to replace an EXE or edit a registry key to change the log on application, but I don't know if that's the case in windows 7 with all the added security.
posted by delmoi at 11:46 PM on September 16, 2009
I doubt anyone would have done so, though, because what's the point? If you can memorize the password, you can also memorize a username.
Looking around, it looks like in windows XP, you just had to replace an EXE or edit a registry key to change the log on application, but I don't know if that's the case in windows 7 with all the added security.
posted by delmoi at 11:46 PM on September 16, 2009
For example, if the p/w was applejacks, and i accidentally type in applrjacks, i dont want my computer logging me in as a guest.
This would make it much, much easier for an attacker to brute-force your password. Plus, implementing it would require your password to be stored in plaintext on your hard disk, which is woefully insecure.
posted by teraflop at 1:01 AM on September 17, 2009
This would make it much, much easier for an attacker to brute-force your password. Plus, implementing it would require your password to be stored in plaintext on your hard disk, which is woefully insecure.
posted by teraflop at 1:01 AM on September 17, 2009
The main reason why this is a bad idea is that identification (the thing that the username is for) and authentication (the thing that the password is for) are different things.
Identification is administrative. It's the system administrator's job to generate and assign each system user a unique identifier (username), and since usernames are only used to help the computer tell people apart, it does no harm if these are well known.
Authentication is personal. It's the user's job to generate, register and remember a password that proves to the system that they are who they claim to be, and since passwords are not used to help the computer tell people apart, nothing bad happens when two different people happen to pick the same password.
If you're going to design a system that does identification and authentication in one step, you need some way to ensure that whatever your users use to authenticate their identities can't possibly be accidentally duplicated by a different user. You can do this to some extent with biometrics (fingerprint readers are getting popular on laptop computers these days) or with digital certificates embedded in a physical access key (the chances of two digital certificates accidentally ending up identical are smaller than the chances that every computer in your organization will spontaneously combust at the same time).
posted by flabdablet at 1:04 AM on September 17, 2009
Identification is administrative. It's the system administrator's job to generate and assign each system user a unique identifier (username), and since usernames are only used to help the computer tell people apart, it does no harm if these are well known.
Authentication is personal. It's the user's job to generate, register and remember a password that proves to the system that they are who they claim to be, and since passwords are not used to help the computer tell people apart, nothing bad happens when two different people happen to pick the same password.
If you're going to design a system that does identification and authentication in one step, you need some way to ensure that whatever your users use to authenticate their identities can't possibly be accidentally duplicated by a different user. You can do this to some extent with biometrics (fingerprint readers are getting popular on laptop computers these days) or with digital certificates embedded in a physical access key (the chances of two digital certificates accidentally ending up identical are smaller than the chances that every computer in your organization will spontaneously combust at the same time).
posted by flabdablet at 1:04 AM on September 17, 2009
I've been racking my brain for a valid reason for doing this. Are you actually wanting something along the lines of a honeypot?
posted by Cat Pie Hurts at 5:39 AM on September 17, 2009
posted by Cat Pie Hurts at 5:39 AM on September 17, 2009
You could just get rid of all passwords entirely, and have people input their usernames only. That would be essentially the same thing.
You can make windows not display usernames in the login screen, it just displays a single entry box. I forget where you do this at the moment.
posted by Xoebe at 10:04 AM on September 17, 2009
You can make windows not display usernames in the login screen, it just displays a single entry box. I forget where you do this at the moment.
posted by Xoebe at 10:04 AM on September 17, 2009
Xoebe, that won't work because all anybody has to do is open a cmd window and type NET USERS to get a complete list of everybody's "passwords". The distinction between usernames (administratively assigned, assumed to be well known, unique) and passwords (user assigned, assumed to be secret, no uniqueness requirement) is built deep into Windows and every other modern operating system, and using one as a substitute for the other simply won't work.
posted by flabdablet at 5:10 PM on September 17, 2009
posted by flabdablet at 5:10 PM on September 17, 2009
This thread is closed to new comments.
If you haven't heard about the new guest mode feature you should read up on it. It makes basically bomb proof accounts and you could have that available on the welcome screen.
If you're worried about people taking multiple guesses on your account passwords you could setup policies that do not allow multiple guess, log the instances, etc...
posted by zephyr_words at 10:25 PM on September 16, 2009