8

First time programming for work... Man in the middle student password changes. Yep that's right I'm being asked to write a program that will change students passwords on their Google accounts and local domain while also keeping a decryptable format password in a database. Granted it's much better than not letting students change their passwords at all. Plus were doing it because it will let us fix their issues while their out of school so...

Comments
  • 1
    I don't get it, google has managment consoles iirc to have user accounts generated automatically and managed too, are you actually MITMing user/student passwords and saving them clear text? that's pretty much illegal then.
  • 1
    @JoshBent they'll be encrypted with AES encryption, yes they have the management console but we can't get a clear text password from it and theres no way to inform the students that we changed their passwords. So our next best option is what I'm building.
  • 1
    @JoshBent our current setup is to have their passwords set to their student ID numbers which we have in clear text anyways and make it so they can't change their passwords. Which is starting to cause issues because students are not careful about where they store their student id info
  • 1
    @JoshBent Not to mention we aren't breaking googles stuff, we're building our own password change site that they will put the new password into that will then store their password and then update the password via Google apis
  • 1
    @gitlab the password change is happening on your side though, so theres no way to contact the student and tell what it was changed to? afaik password change notifications are automatically pushed to the owner and manager of said account anyway?

    To be honest I don't get this whole situation at all;

    - why change their passwords, instead of enforcing password policies for example?
    - why is the password the same as the domain password or why/what way are they connected?

    Might be missing something, since its really late, but I don't see the reason for doing a mitm on the passwords (the user passwords or the ones it gets automatically changed to?) and it sounds rather odd.

    Edit: posted this before you added 2 other comments, will read, maybe you answered it already.
  • 2
    @JoshBent so currently their passwords are set by us to a known value that can not be changed. If we let them change their passwords we can not notify them that their password changed or the new value because we don't keep track of students or notify them (they don't have emails either). This is more of a convince thing for us. Plus it allows us to keep our current Automation Scripts with just a couple changes.
  • 1
    @gitlab ah I see, so I did just get it wrong from just your rant - I really hope youre not just going to set a global key for all the encrypted data, I saw that shit being applied for years in some schools. 😔
  • 2
    @JoshBent haha no no of course not I'm not stupid enough to do that.
Add Comment