Security Basics mailing list archives
RE: Password communication
From: "Worrell, Brian" <BWorrell () isdh IN gov>
Date: Tue, 8 Jan 2008 08:56:32 -0500
If this is a new user, or a user that forgot their password, how can they access their email to get their new password? Brian -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Serg B Sent: Monday, January 07, 2008 5:06 PM To: security-basics Subject: Re: Password communication Sending OTP password over the email should be fine. Like Gleb has mentioned make sure to set flag "change after login" to On and things should be relatively safe; of course password complexity and history policy rules should also be in affect. Serg On Jan 6, 2008 9:08 AM, Gleb Paharenko <gpaharenko () gmail com> wrote:
Hi. From my experience, the best is single sign on (SSO) with smart card authentication. However it is really expensive, especially when you have a lot of information systems. Quite reasonably from my point of view is rest users password to the new one with setting flag "change after login" and emailing it to user. Mail encryption is easily implemented at least with Lotus Notes. There should be implemented password change history, so the password could not be repeated. 2008/1/4, mgk.mailing <mgk.mailing () googlemail com>:Hi Regarding the pki, i have been following openxpki for a while and it has been progressing nicely. Admitidly at the moment it is in development but its free and reasonably stable. They also have setup a live cd for you to try on the site. I haven't implemented it myself at the moment but i would hope to review it again when it goes gold. Hope that helps. pepsdiaz () gmail com wrote:Dear all, We are trying to implement a password policy in our Organization and we have some doubts when distributing the password to all the employees. I would like to know which is the best way to communicate the new password when the user block/forgot his password. 1) We donĀ“t want to use an envelope because it takes long time. 2) Telephone is insecure, how to authenticate the user? 3) email is also insecure... 4) PKI... expensive? Thanks to all in advance.-- Best regards. Gleb Pakharenko. http://gpaharenko.livejournal.com
Current thread:
- RE: Password communication, (continued)
- RE: Password communication Sam Hansen (Jan 03)
- RE: Password communication Nick Vaernhoej (Jan 03)
- RE: Password communication Petter Bruland (Jan 03)
- Re: Password communication Dante Signal31 (Jan 04)
- RE: Password communication Sinha, Amitabh (Amit) (Jan 07)
- RE: Password communication Petter Bruland (Jan 03)
- Re: Password communication Nikhil Wagholikar (Jan 03)
- RE: Password communication Ronny Roethof (Jan 04)
- Re: Password communication mgk.mailing (Jan 04)
- Re: Password communication Gleb Paharenko (Jan 07)
- Re: Password communication Serg B (Jan 07)
- RE: Password communication Worrell, Brian (Jan 08)
- Message not available
- RE: Password communication Worrell, Brian (Jan 08)
- Re: Password communication Gleb Paharenko (Jan 07)
- RE: Password communication Worrell, Brian (Jan 04)