Share via


Haiku #95

Access denied? Hmm,

I guess that means that I need

A new PIN number.

Truth be told, the author of today's haiku is probably the world's worst user of Internet search engines: he never finds anything that he sets out to look for. On the other hand, he's remarkably good at finding things that he didn't set out to look for. For example, this morning, while trying to get clarification on a term used on Voice over IP networks (a term that has absolutely nothing to do with passwords) he stumbled upon several articles that talked about the most-commonly used passwords. (Most of these articles were, alas, based on analyses of Internet sites that inadvertently exposed their password lists to the world.) In case you're wondering, here's what one of these articles listed as the 10 most-commonly used passwords:

· 123456 (because many places require 6-character passwords)

· 12345 (apparently because 123456 was too hard to remember)

· 123456789 (which probably counts as a strong password because it has so many characters)

· Password (tricky: note the uppercase P)

· iloveyou (easy to crack, but it's just so cute!)

· Princess

· rockyou (sadly, the name of the Web site these passwords came from was Rockyou.com)

· 1234567 (the classics never go out of style, do they?)

· 12345678

· abc123

Note. In this article, monkey was the 14th most-commonly used password. The author of today's haiku looked at several lists of passwords, and monkey appeared in the top 20 on every one of those lists. Why monkey? We have no idea. Monkey?

At any rate, we just thought that was interesting. Admittedly, many of these passwords are used on Web sites where you have to log on in order to post messages to a forum; if someone stole your password and posed as you, well, it's probably not that big of a deal.

Note. Especially in light of the fact that you're probably posing as someone else to begin with. Among the most popular user names uncovered by one study are Dragon_boy, CutiePie, and LLCoolDave.

In other cases, however, these passwords were used to log on to bank accounts or credit card accounts. Is it a bad idea to log on to your credit card as CutiePie, with a password of 123456? Well, we tend to follow the rule "Judge not lest ye be judged yourself."

But, yes, it's a bad idea.

So what does all that have to do with Microsoft Lync Server 2010? Well, nothing really; we just found it interesting. And while you typically don't have to deal with passwords in Lync Server (instead, you log on using your regular Windows password) you might have to deal with PIN numbers. And with that in mind, and because even the daily Lync Server PowerShell haiku has to be about something, we decided to talk about the CsClientPin cmdlets: Set-CsClientPin, Lock-CsClientPin, and Unlock-CsClientPin.

As you probably know, Lync Server 2010 lets you log on to the system, or join an online conference, by using a plain old telephone; to do that, you have to enter a PIN number instead of a user name and password. (User names and passwords are too hard to enter on a telephone keypad. Or at least they would be if people didn't use passwords like 123456.)

Note. If you're a bit unsure about dial-in conferencing and PIN policies that can only mean one thing: you didn't read our previous haiku on this subject, did you? For shame!

With that in mind, it probably won't come as any great surprise that the CsClientPin cmdlets are used to help manage the PIN numbers assigned to users. For example, you can use the Set-CsClientPin cmdlet to actually do that assignment. (Users can also create their own PINs by going to the Dial-In Conferencing Web page.) You say you want to assign Ken Myer a specific PIN number? That's fine; that's what Set-CsClientPin is all about:

Set-CsClientPin -Identity "Ken Myer" -Pin 121989

As you can see, you simply specify the Identity of the user account followed by the PIN number you want to assign to that user. If you'd prefer to have the system randomly generate a PIN number for the user then leave off the PIN parameter:

Set-CsClientPin -Identity "Ken Myer"

Do that, and Lync Server will respond by setting Ken Myer's PIN and giving you a report similar to this one:

Identity Pin PinReset

----------- --- --------

sip:kmyer@litwareinc.com 666539 True

In this case, Ken has been assigned PIN number 666539.

Note. We should probably point out that, if you do this, then it's up to you to notify Ken of his new PIN number. Lync Server will not do that for you.

Another note. Actually, there is some significance to the PIN number 666539. But we'll let you figure that out for yourselves.

Keep in mind that Lync Server will adhere to your PIN policies when creating a PIN number. For example, suppose you set the minimum PIN length to 8 digits. In that case, the system will not assigned Ken Myer the PIN number 666539; that PIN only has 6 digits. The one exception here is this: the PIN history count. You can configure the system so that users cannot keep using the same PIN number over and over again; if their current PIN number 666539 expires, they can't reuse 666539 when selecting a new PIN. However, you, the administrator, can use Set-CsClientPin to reassign them that same password. (Although you might want to keep that as your little secret.)

What about Lock-CsClientPin and Unlock-CsClientPin? Well, Lock-CsClientPin provides a way for you to temporarily prevent someone from logging on using a PIN number: a user whose PIN has been locked can still fire up Microsoft Lync and log on using their Windows password, but won't be able to dial in and log on using their PIN. (It's still a valid PIN; it's just been temporarily disabled.) Need to lock Ken Myer's PIN? Okey-doke:

Lock-CsClientPin –Identity "Ken Myer"

You say you need to lock everybody's PIN? This command will lock the PIN number for every user who has actually been assigned a PIN number:

Get-CsUser | Get-CsClientPinInfo | Where-Object {$_.PinExpirationTime -lt (Get-Date)} | Lock-CsClientPin

And, of course, Unlock-CsClientPin lets you unlock (and thus re-enable) those PIN numbers:

Unlock-CsClientPin –Identity "Ken Myer"

Only an administrator can unlock a locked PIN. As you might expect, users can't unlock their own PIN numbers. That would sort of defeat the whole purpose of locking those numbers in the first place. And before you ask, no, there's no way for anyone, even an administrator, to retrieve the PIN number that has been assigned to a user. If a user forgets their PIN number you can assign them a new one, but there's no way for you to look up their current PIN. That, too would open up all sorts of security holes, holes that are better left unopened.

Before we call it a week, we thought we should mention that the author of today's haiku has a friend who uses the same password for everything; that password is basically his name followed by the phrase IsASexMachine. (For example, KenMyerIsASexMachine.) In his view, that's the most secure password imaginable. If you don't know the password, well, you can't use it. And, in his opinion, even if you did know the password, you'd be too embarrassed to type it in. It's not quite as good as monkey, but it's not bad.

See you on Monday.