How do I recover a forgotten Active Directory password?

Answer: You don't.

The problem may not be with your password, however. Authentication can fail for any of the following reasons:

  • You mistyped the account name, or did something like add the "@colby.edu", which is not part of the account name. You will get a complaint similar to "account does not exist" from the software.
  • You mistyped (or forgot) the password.
  • The authentication software has crashed. Hey, it happens occasionally. Try again later.
  • The account exists, but has been locked out by ITS. In this case, the password is still there and valid -- you just can't use the account. ITS will lock out accounts because of a virus or because of security reasons. Contact the helpdesk (helpdesk@colby.edu) for further information.
  • The account exists and is valid, but the password is invalid. In this case, the password was never initially set for the account or the password has been invalidated by ITS for security reasons. If you previously had a password and get the "password invalid" message, then continue reading to find out how to get a new password.

If you are off-campus (especially if you are abroad), send email to "helpdesk@colby.edu" telling them that you are having authentication problems. Please tell them (a) what service or machine you tried to authenticate to, eg the Web page URL; (b) what error message you got, if any; (c) where you are physically; (d) where you are on the Internet (domain name and/or IP number), if you know.

• Do not send Active Directory passwords via email. Do not ask ITS staff to send you a password via email. If you do email anyone in ITS your Active Directory password, your password will be invalidated -- insuring that you are locked out. ITS will not use email to transmit passwords because email is not secure.

Why can't some ITS guru just look up your forgotten password and give it to you? Because passwords are one-way encrypted. Even the ITS gurus have no access to your password because of this. How does the process of authentication work with one-way encryption? Think of the encryption process as a magical meat-grinder. You drop your password in the top of the grinder, turn the crank, and some encrypted string falls out the other end. The encryption process guarantees that (a) a given password will always generate the same unique encrypted string, and (b) no process can be applied to the encrypted string that will divulge the original password. Using the meat-grinder analogy, the steak cannot be reconstructed from the bits of hamburger by turning the handle backwards.

The piece of information about your password that is stored in the computer is the encrypted string, not the original password. When you authenticate, you type in the password, it is encrypted, and the result is compared to the encrypted string saved for you account. If they match, then you entered the correct password and you are in. If they don't match, then you are denied access. To add a level of security, the file(s) containing the encrypted strings are themselves encrypted, so that administrators don't have access to the information either.

The notion of "cracking" or "decrypting" an encrypted string is a misnomer and the product of bad Hollywood movies. Actual password cracking consists of guessing a likely password, encrypting it, and then comparing this result to the encrypted string of the account under attack. Good encryption algorithms are designed to take lots of CPU time, and the amount of encryption time is exponentially proportional to both the length of the original password and the encrypted result.

A difficult password of reasonable length, combined with a good encryption algorithm, makes "dictionary cracking" attempts very unfeasible. This is the reason why Colby has such strict rules about what can be used for a password.