Reset Passwords from Lock Screen

Hello,
I’m not sure I’m using the proper category, but I have a question regarding password resets directly from lock screen. I run EOS 3.9 beta on QEMU and there is an option “Forgot Password”;

btw i dont find an upload image here, so thats a screenshot:

That option give us a 7-digit pin that later generates an unlock/reset password from:
http://pwreset.endlessos.org/

My question is, we can just unlock ANY EOS desktop JUST LIKE THAT?? There wasn’t any account sync (on PW Reset page I logged in with my Google account) or even hardware ID

Yes, this (the web code generator) was added when 3.8.7 was released:

As you need physical access to the device, the security implications are predictable.

this is way way way wrong; there are Linuxes already that come with a default disk encryption;
btw, thanks for the reply and the link!!

Under almost all circumstances, the security of the system is lost as soon as an attacker get’s physical access to the device. Even if you are using sophisticated enterprise solutions like, for example Microsoft BitLocker there are situations arising when an attacker with enough knowledge of the underlying system and it’s procedures can get access to the device (Keyword: VMK on Disk during Firmware Upgrades).

Yes for sure, you can always build a system which is - from a cryptographical point of view - unbreakable and highly secure, but it’s always a tradeoff between usability and security. And in this exact case here it’s acceptable. There is no full disk or user directory encryption, so anyone with physical access can always get the disk and mount it on another system or even simply reboot the system and force it into single user mode.

So, the number one rule always should be: Never leave your device alone in unsecure places.

  1. What, if you have forgotten you password and don’t have access to the internet? Can you reset password? And How?
  2. What, if server who “save password tokens” was damaged, destroyed, source code was changed or deleted, is under DDOS attack, can you reset password?
  3. What, if copy of tokens is lost? Can you reset password?
  4. How this help people with no internet connection, who endless aim to give them access to information’s? If they forgot there password will there PC becomes useless?

If you don’t have internet, you can’t use the online service. In this case, boot to single user mode, mount the root disk and reset the password manually (advanced, see Linux password lost)

There is no such thing as a Token. The code supplied in the login window is run through a mathematical operation, which results in a code, which in turn can be entered instead of your password.

This is extremely disappointing. I was looking into OSTree projects and this looked like a promising OS and refreshing ChromeOS/CloudReady/Silverblue alternative for the ultra-casual user. You should have a disclaimer letting people know that anyone age ~5 or more can get into your e-mails, social media accounts, journals, etc. And even brain-dead criminals can be shown step-by-step how to break into your accounts if they steal your device. This is very different from someone knowing how to mount a drive externally. A sane compromise is something like turning off SELinux and not something like breaking password security entirely.

At least this makes my viability audit for my users nice and short. There is no way to disable this? Enforce answering 3 security questions? Wiping the device after password reset? Was there an internal discussion on this someone can link here? Was this a controversial proposal? Something like this seems to benefit a very small number of use-cases and is otherwise malicious to everyone else. Security is one of the greatest selling points of ChromeOS and clearly seems like something people want in an OS. I appreciate looking out for those most technically incompetent, but as-is this just seems like a terrible idea implemented the way it is and something I could never recommend unless they were fully aware of the implications.

Just my few cent:

  • If you have lost your device and it’s not encrypted, this does not matter. Anyone who has a interest in getting your data if he has you device can simply pull out the disk and attach it to another computer, this is not witchcraft
  • Some Chromium OS Distributions like CloudReady make this even easier. There is no password set for the chronos user and you can simply sudo to a root-shell in the Terminal, even before login.
1 Like

Hi, thanks for taking the time to try Endless and additionally stepping in to provide feedback!

This functionality can be disabled via a terminal command if you wish:
https://support.endlessos.org/en/endless-os/pwreset#disable-the-self-password-reset-service

From the perspective of someone with plentiful technical experience like yourself, this may indeed seem like a weird misfeature. But to at least share some of the background here:

Endless’s underlying mission is to solve the barriers that prevent equal access to technology & education. We’ve spent years working with students and families who have never had a PC before, but now they have their first PC - running Endless OS. This is at the heart of what we do. Making software for such target users brings plenty of interesting challenges and considerations that are surprising to us who have a significantly greater amount of PC usage experience.

And this is one such case. The most common support requests from this type of user is “I lost my password”. And I’m not just referring to a handful of support tickets. Over the years, this has formed the overwhelming majority of support requests that we have received. Even when we took steps such as making the default be a passwordless user account, and requiring the user to set a password hint along with their password, there was barely any change to this reality. Anyway, this password reset system has emerged from years of practical experience in that area.

It’s far from ideal of course, and we have alternative ideas to explore, but anyway, that is how we got to where we are today.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.