Automate password resets with PWM

PWM puts responsibility for password resets in users' hands, freeing IT for more pressing tasks.
147 readers like this.

freeGraphicToday, via Pixabay. CC0.

One of the things that can be "death by a thousand cuts" for any IT team's sanity and patience is constantly being asked to reset passwords.

The best way we've found to handle this is to ditch your hashing algorithms and store your passwords in plaintext so that your users can retrieve them at any time.

Ha! I am, of course, kidding. That's a terrible idea.

When your users forget their passwords, you'll still need to reset them. But is there a way to break free from the monotonous, repetitive task of doing it manually?

PWM puts password resets in users' hands

PWM is an open source (GPLv2JavaServer Pages application that provides a webpage where users can submit their own password resets. If certain conditions are met—which you can configure—PWM will send a password reset instruction to whichever directory service you've connected it to.

PWM password reset screen

One thing that's great about PWM is it's very easy to add it to an existing network. If you're largely happy with what you've already built—just sick of processing password requests manually—you can just throw PWM into the mix.

PWM works with any implementation of LDAP and written to run on Apache Tomcat. Once you get it up and running, you can administer it through a browser-based dashboard.

Why PWM is better than Microsoft SSPR

As much as our team prefers open source, we still have to deal with Windows networks. Of course, Microsoft has its own password-reset tool, called Self Service Password Reset (SSPR). But I prefer PWM, and not just because of a general preference for open source. I believe PWM is better for my use case for the following reasons:

  • SSPR has a very complex licensing system. You need different products depending on what servers you're running and whose metal they're running on. This is a constraint on your flexibility and a whole extra pain in the neck when it's time to move to new architecture. For the busy admin who wants to go home on time, it's extra bureaucracy to get the purchase approved. PWM just works on what it's configured to work on at no cost.

  • PWM is not just for Windows. It works with any kind of LDAP server. So, it's one less part you need to worry about if you ever stop using Windows for a certain role. It also means that, once you've gotten the hang of it, you have something in your bag of tricks that you can use in many different environments.

  • PWM is easy to install. If you know how to install Linux as a virtual machine—and, let's face it, if you're running a network, you probably do—then you're already most of the way there.

PWM can run on Windows, but we prefer to include it in a Windows network by running it on a Linux virtual machine, for example, Ubuntu Server 16.04.

Risks and rewards of automation

Password resets are an attack vector, so be thoughtful about where and how you use PWM. Automating your password resets can mean an attacker is potentially just one unencrypted email connection away from resetting a password.

To some extent, automating your password resets trades a bit of security for some convenience. So maybe this isn't the right way to handle C-suite user accounts that approve large payments.

On the other hand, manual resets are not 100% secure either—they can be gamed with targeted attacks like spear phishing and social engineering. It's much easier to fall for these scams if your team gets frequent reset requests and is sick of dealing with them. You may benefit from automating the bulk of lower-risk requests so you can focus on protecting the higher-risk accounts manually; this is possible given the time you can save using PWM.

Some of the risks associated with shifting resets to users can be mitigated with PWM's built-in features, such as insisting users verify their password reset request by email or SMS. You can also make PWM accessible only on the intranet.

PWM configuration options

PWM doesn't store any passwords, so that's one less headache. It does, however, store answers to users' secret questions in a MySQL database that can be configured to be stored locally or on a separate server, depending on your preference.

There are a ton of ways to make PWM look and feel like a polished part of your team's infrastructure. With a little bit of CSS know-how, you can customize the user interface for your business' branding. There are also more options for implementation than you can shake a stick at.

Wrapping up

PWM is a great open source project, it's actively developed, and it has a helpful online community. It's a great alternative to Microsoft's Azure SSPR solution for small to midsized businesses that have to keep a tight grip on the purse strings, and it slots in neatly to any existing Active Directory infrastructure. It also saves IT's time by outsourcing this mundane task to users.

I advise every network admin to dive in and have a look at the cool stuff PWM offers. Check out the getting started resources and reach out to the community if you have any questions.

User profile image.
By day, James Mawson develops marketing materials for technology companies. He's a computer, business and internet nerd, inveterate retro gamer and Raspberry Pi hacker, and a passionate promoter of desktop Linux.

1 Comment

PWM does indeed do a good job but the setup isn't primarily straightforward. You need to do a good bit of information gathering to get things working in your environment. There's no breezing through menus and selecting all relevant information. This configuration isn't for the fainthearted. The only real complaint I've had so far is the instructions to get things going are a bit scattered. I did go with a headless Ubuntu server, Tomcat8 and the pwm.war file method. It took quite a bit of research within the pwm google group to find out most of all the recent builds are broken as far as the installation is concerned. I had to get the 2/2019 build of the war file to even set up the software. Not exactly the most smooth of deployments but as it is open source, I really can't complain.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.