Security Basics mailing list archives
RE: Password communication
From: "Bill Lavalette" <blavalet () homenet-security com>
Date: Fri, 4 Jan 2008 14:41:55 -0500
After reading most of the responses to this thread a couple of key questions arise from the original post and some of the responses. A) This should be in all Security Policies B) This is an excellent Business Continuity example. I would not rule out phone for relaying to local non-management or MIS type employee's. The level of access that the regular "Joe" has would or should not be business impacting if said phone is compromised. One post was talking about 2 factor auth, You could relay a password in the voicemail and that the employee must contact MIS with the password to reset their account. This way you can verify via the phone that it is in fact the employee that is on the other end. SARBOX- Note -- your employee list should be complete and up to date for all employee's. This should also be reflected in the accounts you maintain. Remote employee's aka remote offices and WFH (work from home) Sales types you have a couple of options.. If you are using a VPN you have already 2 factor auth in place for a emailed password. The login of the laptop and the login for the VPN. If you are using a single sign on solution then well there is a shortcoming of end user laziness :) However pointing back at the SARBOX note phone should be a viable option. Most or all cell phones use encryption. Phone Security is also a topic that is brought up as well. Can you verify that your local phone is secure? Do you have a PBX or Voip system admin what are the policies for this system. Has it been audited etc. Anyway I think and have practiced the email relay and voice mail relay both with a "Call us to reset your password" type message and we did not have any problems with this and it took about a week to get everyone switched over this way est. 250 employee's at a remote office. Hope this help and brings up some other interesting aspects of your great question Kind Regards, Bill ====== HomeNet Security =========== Bill Lavalette Network Security Officer CCSA-CCSE Crisis Mitigator ID Theft Prevention Mentor WWW http://www.homenet-security.com ==================================== Defending The Home LAN -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of pepsdiaz () gmail com Sent: Thursday, January 03, 2008 4:09 AM To: security-basics () securityfocus com Subject: Password communication Dear all, We are trying to implement a password policy in our Organization and we have some doubts when distributing the password to all the employees. I would like to know which is the best way to communicate the new password when the user block/forgot his password. 1) We donĀ“t want to use an envelope because it takes long time. 2) Telephone is insecure, how to authenticate the user? 3) email is also insecure... 4) PKI... expensive? Thanks to all in advance.
Attachment:
Bill Lavalette.vcf
Description:
Attachment:
smime.p7s
Description:
Current thread:
- RE: Password communication, (continued)
- RE: Password communication Sinha, Amitabh (Amit) (Jan 07)
- Re: Password communication Nikhil Wagholikar (Jan 03)
- RE: Password communication Ronny Roethof (Jan 04)
- Re: Password communication mgk.mailing (Jan 04)
- Re: Password communication Gleb Paharenko (Jan 07)
- Re: Password communication Serg B (Jan 07)
- RE: Password communication Worrell, Brian (Jan 08)
- Message not available
- RE: Password communication Worrell, Brian (Jan 08)
- Re: Password communication Gleb Paharenko (Jan 07)
- RE: Password communication Worrell, Brian (Jan 04)