Password History

Error checking is implemented to guard against a password being set before the ID-Archive™ server is made aware of the change -- i.e., a workstation or server can never have a local administrator password that the central ID-Archive server cluster is not aware of.

Consider a workstation on which the local ID-Archive service determines that the time has come to change passwords:

If it simply changes passwords and then attempts to contact a central server to upload the new value, it may find that ID-Archive is off-line or unavailable and so must either roll back the change or store the new value and periodically test for connectivity, in the hopes that the new password can be uploaded before anyone needs to use it.

To avoid this problem, ID-Archive's "pull model" works as follows:

First, the workstation connects to the central ID-Archive server, and asks that server to generate a new, random password for a given local user.
The workstation then changes the password locally and sends a confirmation to the ID-Archive server.
The ID-Archive server updates its stored password and replicates the update to all other ID-Archive servers.

In the event that the ID-Archive server did not receive a confirmation message -- for example in the event that the workstation was suddenly turned off or disconnected -- it will retain both the old and new passwords. The new password is assumed to be current and the old password is archived.

As a fail-safe, in general all old passwords are retained/archived, so that if a sequence of password updates somehow failed, the correct administrative password is nonetheless available.