Re: secure password communication

["Mitchell Rowton" <mrowton () securitypub com>]

Ron,

We've recently had to consider this same scenerio.  DoD regulations
don't allow communicating authentication credentials in clear text.
In the past, it was assumed that we could e-mail a password, so long
as the username or system wasn't included in the e-mail.  We had also
sent PINs in postal mail, which allowed online retrieval of passwords.
 However postal delivery was a large ongoing expense and we were told
that e-mailing passwords isn't allowed anymore.

Our solution basically involved allowing the user to enter their own
passwords at registration.  We had to develop an entirely new system
to allow this.  Most accounts were web based but we also had to tie
into AD for some.  Our largest problem was helping people who forgot
their passwords.  For this we implemented security questions and
answers.  For the very few scenerios where the person couldn't
remember their passwords or security questions and answers then our
helpdesk has the ability to override and allow them to set up a new
password after they have manually verified the identity of the person
(phone number, e-mail, etc on file).  In these cases the user would be
sent an e-mail containing a one time hash that they click.  On the
landing page they had to enter information they got over the phone.

Hope this helps

--
Mitchell Rowton
http://www.securitypub.com/
Discover, share, and discuss information security news


On Mon, Dec 22, 2008 at 12:34 AM,  <sfmailsbm () gmail com> wrote:
> Dear List,
> we need to communicate first-time application passwords to remote users; wanted to know what are the practices 
> implemented out there to ensure that password is communicated in a secure, fast, cost-effective way
>
> encrypted mails is not feasible for the time being, printing PIN Mailers and sending by post will be too lengthy
>
> any ideas will be appreciated
>
> many thanks,
> Ron