Re: secure password communication

["Shreyas Zare" <shreyas () technitium com>]

Hi Mitchell,

I just thought about the solution you wrote about. When I read it
first, it seems that a social engineering attack would be easy in such
a case by someone who has just about basic info. An insider can reset
passwords of anyone easily using it. And help desk has ability to
override makes it look easy. So its a risk that the company is taking
or am i missing something?

On the main topic, the best possible way I can think of is to have
digital certificate for all remote users and then you can easily send
any secret using the public key in the cert. And digital cert need not
be purchased, an company Cert server would be enough. The only thing
is that you have to create the cert in for the first time. Any other
way than this I feel is bound to be insecure. Again it depends on what
you are trying to protect and the risks involved.

Just my 2 cents.

Regards,

On Tue, Dec 23, 2008 at 1:27 AM, Mitchell Rowton
<mrowton () securitypub com> wrote:
> Ron,
>
> We've recently had to consider this same scenerio.  DoD regulations
> don't allow communicating authentication credentials in clear text.
> In the past, it was assumed that we could e-mail a password, so long
> as the username or system wasn't included in the e-mail.  We had also
> sent PINs in postal mail, which allowed online retrieval of passwords.
>  However postal delivery was a large ongoing expense and we were told
> that e-mailing passwords isn't allowed anymore.
>
> Our solution basically involved allowing the user to enter their own
> passwords at registration.  We had to develop an entirely new system
> to allow this.  Most accounts were web based but we also had to tie
> into AD for some.  Our largest problem was helping people who forgot
> their passwords.  For this we implemented security questions and
> answers.  For the very few scenerios where the person couldn't
> remember their passwords or security questions and answers then our
> helpdesk has the ability to override and allow them to set up a new
> password after they have manually verified the identity of the person
> (phone number, e-mail, etc on file).  In these cases the user would be
> sent an e-mail containing a one time hash that they click.  On the
> landing page they had to enter information they got over the phone.
>
> Hope this helps
>
> --
> Mitchell Rowton
> http://www.securitypub.com/
> Discover, share, and discuss information security news
>
>
> On Mon, Dec 22, 2008 at 12:34 AM,  <sfmailsbm () gmail com> wrote:
> > Dear List,
> > we need to communicate first-time application passwords to remote users; wanted to know what are the practices 
> > implemented out there to ensure that password is communicated in a secure, fast, cost-effective way
> >
> > encrypted mails is not feasible for the time being, printing PIN Mailers and sending by post will be too lengthy
> >
> > any ideas will be appreciated
> >
> > many thanks,
> > Ron



--
("Relax, its only ONES and ZEROS !")

Shreyas Zare
Co-Founder, Technitium
eMail: shreyas () technitium com

..::< The Technitium Team >::..
Visit us at www.technitium.com
Contact us at theteam () technitium com

Join Sci-Tech News group and get the latest science & technology news
in your inbox. Visit http://tech.groups.yahoo.com/group/sci-tech-news
to join.