Security Basics mailing list archives
Re: secure password communication
From: "Shreyas Zare" <shreyas () technitium com>
Date: Tue, 23 Dec 2008 11:40:21 +0530
Hi Mitchell, I just thought about the solution you wrote about. When I read it first, it seems that a social engineering attack would be easy in such a case by someone who has just about basic info. An insider can reset passwords of anyone easily using it. And help desk has ability to override makes it look easy. So its a risk that the company is taking or am i missing something? On the main topic, the best possible way I can think of is to have digital certificate for all remote users and then you can easily send any secret using the public key in the cert. And digital cert need not be purchased, an company Cert server would be enough. The only thing is that you have to create the cert in for the first time. Any other way than this I feel is bound to be insecure. Again it depends on what you are trying to protect and the risks involved. Just my 2 cents. Regards, On Tue, Dec 23, 2008 at 1:27 AM, Mitchell Rowton <mrowton () securitypub com> wrote:
Ron, We've recently had to consider this same scenerio. DoD regulations don't allow communicating authentication credentials in clear text. In the past, it was assumed that we could e-mail a password, so long as the username or system wasn't included in the e-mail. We had also sent PINs in postal mail, which allowed online retrieval of passwords. However postal delivery was a large ongoing expense and we were told that e-mailing passwords isn't allowed anymore. Our solution basically involved allowing the user to enter their own passwords at registration. We had to develop an entirely new system to allow this. Most accounts were web based but we also had to tie into AD for some. Our largest problem was helping people who forgot their passwords. For this we implemented security questions and answers. For the very few scenerios where the person couldn't remember their passwords or security questions and answers then our helpdesk has the ability to override and allow them to set up a new password after they have manually verified the identity of the person (phone number, e-mail, etc on file). In these cases the user would be sent an e-mail containing a one time hash that they click. On the landing page they had to enter information they got over the phone. Hope this helps -- Mitchell Rowton http://www.securitypub.com/ Discover, share, and discuss information security news On Mon, Dec 22, 2008 at 12:34 AM, <sfmailsbm () gmail com> wrote:Dear List, we need to communicate first-time application passwords to remote users; wanted to know what are the practices implemented out there to ensure that password is communicated in a secure, fast, cost-effective way encrypted mails is not feasible for the time being, printing PIN Mailers and sending by post will be too lengthy any ideas will be appreciated many thanks, Ron
-- ("Relax, its only ONES and ZEROS !") Shreyas Zare Co-Founder, Technitium eMail: shreyas () technitium com ..::< The Technitium Team >::.. Visit us at www.technitium.com Contact us at theteam () technitium com Join Sci-Tech News group and get the latest science & technology news in your inbox. Visit http://tech.groups.yahoo.com/group/sci-tech-news to join.
Current thread:
- secure password communication sfmailsbm (Dec 22)
- Re: secure password communication adeel hussain (Dec 22)
- Re: secure password communication Ansgar Wiechers (Dec 22)
- Re: secure password communication Stephen Thornber (Dec 22)
- Re: secure password communication James Lawrie (Dec 22)
- Re: secure password communication Mitchell Rowton (Dec 22)
- Re: secure password communication Shreyas Zare (Dec 23)
- Re: secure password communication Andre Pawlowski (Dec 23)
- <Possible follow-ups>
- Re: secure password communication dan . crowley (Dec 22)
- Re: secure password communication John Jordan (Dec 23)
- Re: secure password communication dan . crowley (Dec 23)