RE: Password communication

["Bill Lavalette" <blavalet () homenet-security com>]

After reading most of the responses to this thread a couple of key questions
arise from the original post and some of the responses.

A) This should be in all Security Policies 

B) This is an excellent Business Continuity example.

I would not rule out phone for relaying to local non-management or MIS type
employee's. The level of access that the regular "Joe" has would or should
not be business impacting if said phone is compromised. One post was talking
about 2 factor auth, You could relay a password in the voicemail and that
the employee must contact MIS with the password to reset their account. This
way you can verify via the phone that it is in fact the employee that is on
the other end.

SARBOX- Note -- your employee list should be complete and up to date for all
employee's. This should also be reflected in the accounts you maintain. 

Remote employee's aka remote offices and WFH (work from home) Sales types
you have a couple of options..

If you are using a VPN you have already 2 factor auth in place for a emailed
password. The login of the laptop and the login for the VPN. If you are
using a single sign on solution then well there is a shortcoming of end user
laziness :) However pointing back at the SARBOX note phone should be a
viable option. Most or all cell phones use encryption. 

Phone Security is also a topic that is brought up as well. Can you verify
that your local phone is secure? Do you have a PBX or Voip system admin what
are the policies for this system. Has it been audited etc. 

Anyway I think and have practiced the email relay and voice mail relay both
with a "Call us to reset your password" type message and we did not have any
problems with this and it took about a week to get everyone switched over
this way est. 250 employee's at a remote office.

Hope this help and brings up some other interesting aspects of your great
question

Kind Regards,

Bill

====== HomeNet Security ===========
Bill Lavalette 
Network Security Officer
CCSA-CCSE 
Crisis Mitigator
ID Theft Prevention Mentor
WWW http://www.homenet-security.com
====================================
     Defending The Home LAN



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of pepsdiaz () gmail com
Sent: Thursday, January 03, 2008 4:09 AM
To: security-basics () securityfocus com
Subject: Password communication

Dear all,

 

We are trying to implement a password policy in our Organization and we have
some doubts when distributing the password to all the employees. I would
like to know which is the best way to communicate the new password when the
user block/forgot his password. 

 

1) We don´t want to use an envelope because it takes long time.

 

2) Telephone is insecure, how to authenticate the user?

 

3) email is also insecure...

 

4) PKI... expensive?

 

Thanks to all in advance.

Attachment: Bill Lavalette.vcf
Description:

Attachment: smime.p7s
Description: