Re: Password communication

["Dante Signal31" <dante.signal31 () gmail com>]

Hello Pepsdiaz,

authenticating an individual involves using at least one of these things:

*"Something individual knows".
*"Something individual has".
*"Something individual is".

However, an "strong" authenticating system doesn't use only one of
these things, it must use two at the same time.

IMHO, telephone lacks of authentication if you don't use a
compensation control, but even in that case you'll be using one of the
things ("Something individual knows") and  you could be attacked with
social engineering techniques, as Sam Hansen said.

I'd try to implement a second control to make your system "strong".
One option is splitting your passwords in two parts (for example, A
and B), you could return A part to the user by phone after
compensation control ("Something individual knows"), and second part,
B, could be returned by SMS message to user's mobile phone (that
mobile phone was registered in user's profile when he was created in
the system) ("Something individual has"). User's temp password would
be A+B and it could be used by user to log in system and create a
definitive password.

Regards

Dante


2008/1/3, Petter Bruland <pbruland () fcglv com>:
> How big of a company are we talking about here?
>
> Last time we had to have people change passwords outside the regular 90 days change, we divided the org into a few 
> smaller groups, and walked around. Now we're only 188 here, so that's not hard, but if we're talking several sites 
> and hundreds of employees, I don't see anything negative about using the phone.
>
> Also the "Change password after login" isn't going to help this situation, as if the wrong person gets the temp 
> password, he/she will just change that to something else upon login.
>
> Wish we had the $$ for RSA or some two factor authentication, as that seems easier on the end users, rather than 
> trying to explain why their password can't be "MONDAY" etc
>
>
> -Petter
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej
> Sent: Thursday, January 03, 2008 10:06 AM
> To: security-basics () securityfocus com
> Subject: RE: Password communication
>
> Good day,
>
> I don't agree that the phone is insecure.
> If you set up the policy so it enforces the user to create a new password on first login then you can give the 
> password over the phone and the user will change it right away.
>
> Nick Vaernhoej
> "Quidquid latine dictum sit, altum sonatur."
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of pepsdiaz () gmail com
> Sent: Thursday, January 03, 2008 3:09 AM
> To: security-basics () securityfocus com
> Subject: Password communication
>
> Dear all,
>
>
>
> We are trying to implement a password policy in our Organization and we have some doubts when distributing the 
> password to all the employees. I would like to know which is the best way to communicate the new password when the 
> user block/forgot his password.
>
>
>
> 1) We don´t want to use an envelope because it takes long time.
>
>
>
> 2) Telephone is insecure, how to authenticate the user?
>
>
>
> 3) email is also insecure...
>
>
>
> 4) PKI... expensive?
>
>
>
> Thanks to all in advance.
>
>
> This electronic transmission is intended for the addressee (s) named above. It contains information that is 
> privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you 
> are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any 
> action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in 
> error, please notify the sender that this message was received in error and then delete this message.
> Thank you.