Security Basics mailing list archives
Re: secure password communication
From: "Mitchell Rowton" <mrowton () securitypub com>
Date: Mon, 22 Dec 2008 14:57:57 -0500
Ron, We've recently had to consider this same scenerio. DoD regulations don't allow communicating authentication credentials in clear text. In the past, it was assumed that we could e-mail a password, so long as the username or system wasn't included in the e-mail. We had also sent PINs in postal mail, which allowed online retrieval of passwords. However postal delivery was a large ongoing expense and we were told that e-mailing passwords isn't allowed anymore. Our solution basically involved allowing the user to enter their own passwords at registration. We had to develop an entirely new system to allow this. Most accounts were web based but we also had to tie into AD for some. Our largest problem was helping people who forgot their passwords. For this we implemented security questions and answers. For the very few scenerios where the person couldn't remember their passwords or security questions and answers then our helpdesk has the ability to override and allow them to set up a new password after they have manually verified the identity of the person (phone number, e-mail, etc on file). In these cases the user would be sent an e-mail containing a one time hash that they click. On the landing page they had to enter information they got over the phone. Hope this helps -- Mitchell Rowton http://www.securitypub.com/ Discover, share, and discuss information security news On Mon, Dec 22, 2008 at 12:34 AM, <sfmailsbm () gmail com> wrote:
Dear List, we need to communicate first-time application passwords to remote users; wanted to know what are the practices implemented out there to ensure that password is communicated in a secure, fast, cost-effective way encrypted mails is not feasible for the time being, printing PIN Mailers and sending by post will be too lengthy any ideas will be appreciated many thanks, Ron
Current thread:
- secure password communication sfmailsbm (Dec 22)
- Re: secure password communication adeel hussain (Dec 22)
- Re: secure password communication Ansgar Wiechers (Dec 22)
- Re: secure password communication Stephen Thornber (Dec 22)
- Re: secure password communication James Lawrie (Dec 22)
- Re: secure password communication Mitchell Rowton (Dec 22)
- Re: secure password communication Shreyas Zare (Dec 23)
- Re: secure password communication Andre Pawlowski (Dec 23)
- <Possible follow-ups>
- Re: secure password communication dan . crowley (Dec 22)
- Re: secure password communication John Jordan (Dec 23)
- Re: secure password communication dan . crowley (Dec 23)