[Feature Request] [Discussion] Reset forgotten password in login screen

I usually face low-level users (the kind of users who write their passwords on a post-it) who don’t use their computer in a daily basis, and sometimes they call me because they forgot their password. I can do nothing besides tell them to bring their computer and I will reset the password with the live CD method.

On Windows, they can use the 3 secret questions method for local accounts, and if you use an online account, you can reset your password though email validation or other methods, mac also offers some options to reset a forgotten password.

Obviously, those OSes are targeted to less tech-savy users, but I think it would be nice to offer a solution on Linux. The three secret questions seems to be the easiest one to develop, but sddm and the underlying desktop environment (or window manager) perhaps needs to be in “harmony”. At least, sddm should be able to change the user’s password if they answer the three questions, on the other hand, there should be a “wizard” asking for those questions inside the desktop (a secondary application).

I think devs from at least KDE and SDDM should agree to do their part of the job, KDE devs to do the wizard, and SDDM the logic to remember/reset the password using the secret questions entered by the user.

What do you think? It’s this even doable? I’m going to open this discussion as well on SDDM’s github https://github.com/sddm/sddm/issues/1913 because I think this cannot be implemented lonely by Plasma devs.

EDITED: I’m not talking about giving support to my corporate users or my friends or something like this. I think it’s a missing feature other OSes has and Linux don’t: give the ability to home users to reset their password by answering some secret questions at the login screen itself.

That’s funny. I have some passwords written on a Post-It stuck to my door…

Are you suggesting that you can hack those?

I think I understand your point though, there’s no way to recover your login password…

Hehe, if you have those post-its at your work, surely any co-worker can hack those, or if that door is reachable from your webcam it can be shown in any videocall, or if it’s near a window, it can be seen from outside… in the best situation, any family member can see those. Not speaking about there are plenty of selfies in internet showing post-its with passwords. 9/10 times, that kind of passwords are pretty simple, like for example, 123ben456 or something like that, really complex passwords aren’t written in post-its because if you’re too lazy to remember a password, you’re even more lazy to create a complex password.

But that’s not the point, I’m talking about the typical user (also known as “luser”) who don’t care about computers at all, not to mention security, and thinks a password like 123456 is more than enough because they have nothing to hide, and password enforcement and complexity are just an annoyance for them.

This functionality I’m suggesting is for that kind of user. Linux is a far superior OS in many aspects, but I wonder why that very simple feature hasn’t been developed already (or perhaps it has been, but I couldn’t find any solution).

Simple, if you are the IT manager of such users, it makes sense for you to have access to the root user of the system.

So, just keep their root password for yourself and let them use their user with whatever password they want.

Then whenever they come to you, log into the root user on a tty and use this command.

Alternatively, you can make an sddm theme, that does exactly what you are talking about in case of Windows. Just make sure that in that case, the sddm needs to be run as root (which might be different in case of certain distros)

It is not, unless you want to set up another database containing the password.
The reason being that the password is not stored anywhere, just the “crc check”.
Security on linux baby.

What happens when you create a passwd is that is hashed, than that hash is saved, not the password.
So the next time you log in, you type the password, that password is hashed, then that hash is checked against the hash saved when creating the password.
If the 2 match, the password is correct.

So you simply CAN NOT “find” the password.

If you are asking for a feature to let you change the password by responding to 3 questions, I have no idea how to do that safely.
You can change password on a user by becoming root, so it would involve something of that sort to “reset” the password. And letting a user do that sounds very insecure to me.
You as a sysadmin “are” root, you have to deal with these things.

I’m not talking about the corporate environment, but for home users. Obviously, in the corporate environment, password won’t be stored locally but will use LDAP or another centralized mechanism, so corporate users cannot be able to change their password if they forgot by this method.

The idea behind is to let the home user change their own password when they forgot it, just like windows or mac does.

I think SDDM should have a tiny sqlite db (or use the keyring for greater security, but get the idea) where to store the questions, and obviously the frontend section where the user can be asked for those questions, and if they are correct, then a wizard to change the password.

SDDM should be run as root (on Arch linux, at least is already running as root) and invoke the passwd command

Not the password, but the secret questions answers.

SDDM is running as root, so invokin passwd wouldn’t be the craziest thing, right?

As said on the former comment, this feauter is not intended for the corporate environment, but for home users, so they should be able to recover their own password without the need to reboot from a liveCD and do “obscure” (for them) things.

IMHO, yes it would. (and I’m not sure it’s even possible)
Type this in a terminal:
sudo getent passwd | grep sddm

The solution to that is to make them the sysadmins on their own computers.
If you are not willing to let them be that, then the job is for you.

Is the password really necessary?
There are ways to log in automatically.
If you don’t give the users sudo privileges they never need the password except for just logging in anyway.
That would work unless there are multiple users of the computer with different user accounts.

I guess the obvious solution is to use a password manager and remember only one password. Everyone today has a smart phone and there are free open source apps that can work with the same database in all devices. Take a look at keepassxc for example.

Honestly, you should insist to these users to use a password manager, the same way they use a key to lock their home doors and cars. There’s no excuse these days to use easy passwords just to remember these. You have to remember only one password: the one that unlocks your password manager’s database. If they refuse to use a password manager, you can refuse to support them.

sddm:x:973:973:Simple Desktop Display Manager:/var/lib/sddm:/usr/bin/nologin

Even more:

 ps xufa | grep sddm                                                                                                                                                                                                                                                                                          ✔ 
root         688  0.0  0.0 154568 21028 ?        Ssl  07:37   0:00 /usr/bin/sddm
root         761  1.9  0.6 27924752 301812 tty2  Ssl+ 07:37  12:23  \_ /usr/lib/Xorg -nolisten tcp -background none -seat seat0 vt2 -auth /run/sddm/xauth_phyzyo -noreset -displayfd 16
root        1004  0.0  0.0  76824 20728 ?        S    08:04   0:00  \_ /usr/lib/sddm/sddm-helper --socket /tmp/sddm-auth-4e8ee126-02e1-402b-b2c7-e0b2449d8835 --id 1 --start /usr/bin/startplasma-x11 --user malevolent

sddm is running with root privileges, and can start X11 with root privileges… I can’t see why it couldn’t invoke passwd with root privileges… instead of

--start /usr/bin/startplasma-x11 --user malevolent

if the questions are answered properly, launch something like

--start /usr/bin/passwd malevolent

No, it’s not MY job because I’m speaking about home users who install Linux by themselves, I don’t have anything to do with them, because I don’t know them. Anyone who downloads a linux distro to start playing with Linux, your grandma, for example. I’m not speaking about users I manage nor in corporate nor in my home. I think it’s a nice feature both Plasma (and SDDM) could have for home users.

The idea is not to work around that by autologin (SDDM already has this option IIRC) if there is just a single user, the idea is, regarding the accounts existing on a system, let the user change their password in a graphical, easy way.

I can agree perhaps Microsoft approach of the 3 secret questions perhaps is not the best, and perhaps there is a clever idea, but if you cannot access to your desktop, nor have internet connection, I can’t imagine a better one. This solution is completely offline, no 2FA, no nothing, just remember in which city did you were born, or what’s the name of your pet.

And how can a user see the password manager if they even can access their desktop?

What if you carry with you a laptop you only use in vacation, and you’re in the middle of nowhere, without even GPRS?

That workaround, which is not a solution, would imply the user has the knowledge and prevision to, not only to add the password when he creates their user, but update the password manager manually, because AFAIK, nor keepassxc nor other passwords manager can upgrade system password.

In their mobile. Have a look for example at keepassxc. There are android and mobile apps (see the FAQ page) which you can use and share the same password database over common file sharing/syncing platform like dropbox, google drive etc. This is a safe procedure btw, because the password database is encrypted with state-of-the-art (aka military grade) encryption algorithms.

Sorry so sound harsh, not my intention, but, how many times do I need to say thats is a proposal for ANY HOME USER IN THE WORLD? It’s a idea for improving Plasma desktop and Linux adoption.

Think about another example of proposal: hey guys, what about to put a “print icon to print stuff?” And people saying, “oh, you can do a lp -d printer_name /path/to/the/document.txt”, and me trying to explain that perhaps is more user friendly an icon or a menu item, but people starts to say something like “oh, you can write a manual for your users about how to print via CLI”… “but they are NOT my users”

It’s all about security and security implies added but necessary inconvenience for everyone, like when you lock your car or your home and you have to make sure that you don’t lose your key.

If there are users who as you said don’t care about their computer security, they can use the usual 123456 password (hard to forget) and call it a day.

So, your idea to improve user experience to remember their password is to install one application in the desktop, one app in the phone, configure both with 3rd party and closed source services, oh, and if the user changes the password, he needs to manually update the entry in the keepass, an entry perhaps he created the day he installed his desktop and never touched again.

No! you got it wrong! As I wrote in my other comment security adds inconvenience regardless if we are talking about home locks, car locks or computer passwords. It is what it is: if you care about your security then you have to add some inconvenience to your life. if you don’t care then you can never lock your home’s door, you can never lock your car and you have 123456 as your password.

yes, and that’s the purpose of a remember/reset password utility. When you lose your home’s keys, you can call a locksmith to open the door and install a new lock with a new set of keys, or you have a copy of the key on your mom’s home, but you don’t need to buy a new home. Once you are at home again, you will call the locksmith and will change the lock, but at least you’re inside your home!

It’s not a crazy petition, can be difficult to achieve, indeed, but is not useless: any system based on credentials has the option to reset the credentials if they are forgotten, it’s not a security flaw, it’s a common feature Linux desktop does not have.

We can talk about SDDM cannot invoke any tool to change password, or it cannot access the kernel keyring to store the security questions (I’m just a sysadmin, but I think both are feasible), or perhaps an experienced kernel developer could say the user space between the kernel and the SDDM petitions are unsecure or a gray area, but I think the usefulness of a remember/reset password is clear for everyone.

Exactly! you need to call some third party to unlock it for you. You can’t do it yourself, unless of course you have the required skills. The sysadmin is just the equivalent of the locksmith.

Not it’s not! I’m just against the idea of that (I’m just trying to explain my pov here). In any case I don’t really believe that this is the right place to request such feature. If such feature existed then it should be a freedesktop standard that works in any login manager.

Isn’t the “remember password” thing equivalent with the auto login?

Since more than a couple of decades now, all the services has the option to remember or reset the password, and modern commercial desktops has the option to do it as well. I think it’s time for linux to do it. That utility should be the “locksmith” in our simile.

That’s the kind of answer I want to hear! I knew perhaps the proper space of discussion should be freedesktop, but I wanted to hear first the first impressions from other users and developers from my desktop of predilection. I think I can ask on the freedesktop mailing list.

Not at all. In autologin you can login automatically one user, I don’t really know now if it’s the last user or always the same user, but in shared computers would be a privacy flaw at least (if they are members of the same family). I never used this feature by myself, and at home, eveyone has its own computer.
The remember password feature I’m talking about would be the hint system windows has.

BTW: I have no idea what windows does. Last time I used windows at home was windows 2000 and last time I used windows at work was windows XP

Anyway… I guess I have nothing more to contribute to this discussion