Security Basics mailing list archives
RE: Password communication
From: "Worrell, Brian" <BWorrell () isdh IN gov>
Date: Fri, 4 Jan 2008 12:24:24 -0500
The last company I worked for rolled out a password self service application, and what we did was setup a webpage. The new employee during orientation was required to login via that webpage, and setup everything. We gave them the username and then the PIN to this software. The upside was the PIN was hand delivered and they had to be on the "inside" network to access this site. Once they completed it all, which did require some fields and questions to be answered by the end user, they setup their password. Down side was we had lots of Citrix only devices, so later on we had to publish the app on the Wyse devices for users to go to, when they forgot their password. After all this was done, I do not think we had anyone call due to a forgotten password again. As for voicemail, that's a whole other issue. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of MaddHatter Sent: Friday, January 04, 2008 3:31 AM To: pepsdiaz () gmail com Cc: security-basics () securityfocus com Subject: Re: Password communication pepsdiaz_gmail.com said (on 2008/01/03):
... I would like to know which is the best way to communicate the new
password when the user block/forgot his password. Here's what has been done in one environment I'm familiar with: If a user forgets their computer account password, convey the new password through voicemail (which requires a separate PIN to login). If the user forgets their voicemail login, convey the new voicemail PIN via their computer account (email might work, depending on your environment). If the user forgets both, have them answer some predefined secret questions and convey the new password to a trusted agent (a boss/manager, local IT contact, anyone higher up the management chain) who knows the user and can immediately convey the new password to them in a secure manner. If that won't work for some reason, have a trusted agent (IT helpdesk or somesuch) verify the user's identity via government-issued photo ID and hand them a new password. (Obviously this requires both a trusted agent and the user in close physical proximity.) If none of that will work, you're left with little choice but to refuse a password change or rely on something the user knows -- asking them secret questions or setting their password to some combination of HR data that only they are likely to know. Where you draw the line and what controls you put in place for each process is up to you, but maybe it's a couple ideas to get you started. (And of course as others have mentioned, force them to change their authentication credentials the next time they successfully log in.)
Current thread:
- Re: Password communication, (continued)
- Re: Password communication Dante Signal31 (Jan 04)
- RE: Password communication Sinha, Amitabh (Amit) (Jan 07)
- Re: Password communication Nikhil Wagholikar (Jan 03)
- RE: Password communication Ronny Roethof (Jan 04)
- Re: Password communication mgk.mailing (Jan 04)
- Re: Password communication Gleb Paharenko (Jan 07)
- Re: Password communication Serg B (Jan 07)
- RE: Password communication Worrell, Brian (Jan 08)
- Message not available
- RE: Password communication Worrell, Brian (Jan 08)
- Re: Password communication Gleb Paharenko (Jan 07)
- RE: Password communication Worrell, Brian (Jan 04)