joeware - never stop exploring... :)

After a previous post on ChangePW now being able to change passwords as well as set passwords I received several emails and a blog comment asking… Dude… WTF is the difference?[1]

When you change a password, you supply the old password along with the new password, if the old password is correct and the new password follows the password policy then the password will be changed. This is the normal change password process that millions of normal users go through when they change their passwords every 2-3-4 months depending on your password policy. In order to do this action, you must have Control Access granted for the “Change Password”  extended right. By default, Everyone[2] has this permission which means that anyone could change the password on an account that they knew the old password for.

When you set (or reset) a password you are performing an administrative act; you force the password to be changed without knowing the old password. This _can_ bypass certain aspects of the password policy. For example it will bypass the password history but it only MAY bypass the complex password policy, it depends on the password complexity filter being used. The developer of the filter has the option on what they do as there is a flag that lets them know whether the requested change is a set or a change operation. In order to set a password on an account, you must have Control Access granted for the “Reset Password” extended right.

  joe 

 

[1] That was paraphrased…

[2] This is the security principal Everyone.