Security Basics mailing list archives

RE: Password communication

From: "Worrell, Brian" <BWorrell () isdh IN gov>
Date: Tue, 8 Jan 2008 08:56:32 -0500

If this is a new user, or a user that forgot their password, how can they access their email to get their new password?

Brian 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Serg B
Sent: Monday, January 07, 2008 5:06 PM
To: security-basics
Subject: Re: Password communication

Sending OTP  password over the email should be fine. Like Gleb has mentioned make sure to set flag "change after login" 
to On and things should be relatively safe; of course password complexity and history policy rules should also be in 
affect.

   Serg

On Jan 6, 2008 9:08 AM, Gleb Paharenko <gpaharenko () gmail com> wrote:

Hi.

From my experience, the best is single sign on (SSO) with smart card 
authentication. However it is really expensive, especially when you 
have a lot of information systems.
Quite reasonably from my point of view is rest users password to the 
new one with setting flag "change after login" and emailing it to 
user. Mail encryption is easily implemented at least with Lotus Notes. 
There should be implemented password change history, so the password 
could not be repeated.

2008/1/4, mgk.mailing <mgk.mailing () googlemail com>:


Hi

Regarding the pki, i have been following openxpki for a while and it 
has been progressing nicely.  Admitidly at the moment it is in 
development but its free and reasonably stable.  They also have 
setup a live cd for you to try on the site.  I haven't implemented 
it myself at the moment but i would hope to review it again when it goes gold.

Hope that helps.


pepsdiaz () gmail com wrote:

Dear all,



We are trying to implement a password policy in our Organization and we have some doubts when distributing the 
password to all the employees. I would like to know which is the best way to communicate the new password when 
the user block/forgot his password.



1) We don´t want to use an envelope because it takes long time.



2) Telephone is insecure, how to authenticate the user?



3) email is also insecure...



4) PKI... expensive?



Thanks to all in advance.



--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com

Current thread:

RE: Password communication, (continued)
- - RE: Password communication Sam Hansen (Jan 03)
- RE: Password communication Nick Vaernhoej (Jan 03)
  - RE: Password communication Petter Bruland (Jan 03)
    - Re: Password communication Dante Signal31 (Jan 04)
  - RE: Password communication Sinha, Amitabh (Amit) (Jan 07)
- Re: Password communication Nikhil Wagholikar (Jan 03)
  - RE: Password communication Ronny Roethof (Jan 04)
- Re: Password communication mgk.mailing (Jan 04)
  - Re: Password communication Gleb Paharenko (Jan 07)
    - Re: Password communication Serg B (Jan 07)
    - RE: Password communication Worrell, Brian (Jan 08)
    - Message not available
    - RE: Password communication Worrell, Brian (Jan 08)
- Re: Password communication MaddHatter (Jan 04)
  - RE: Password communication Worrell, Brian (Jan 04)
- RE: Password communication Bill Lavalette (Jan 04)
- Re: RE: Password communication rjflyguy (Jan 04)
- Re: RE: Password communication gbigras (Jan 04)