Security Basics mailing list archives
Re: secure password communication
From: "John Jordan" <jwjordan () usa com>
Date: Tue, 23 Dec 2008 10:40:45 -0800
sfmailsbm () gmail com wrote:
Dear List, we need to communicate first-time application passwords to remote users; wanted to know what are the practices implemented out there to ensure that password is communicated in a secure, fast, cost-effective way encrypted mails is not feasible for the time being, printing PIN Mailers and sending by post will be too lengthy any ideas will be appreciated many thanks, Ron
Ron; This problem can be broken down into two basic issues: 1. Authentication, since the application admin doesn't know the user from Adam (or Eve), you need some way to be sure the person you are giving the temporary password to is who you want to give it to. This can be done via email, since that individual should be the only one able to get to his/her company email account. The same could be said for voicemail, but we all know how easy tht is to hack (sigh). Send them a short hash along with your phone # as previously posted. In the case of a new-hire, you need a trusted third-party. The most logical is the user's supervisor/manager. 2. Confidentiality of the temporary and new passwords: If the user is forced to immediately change his/her password to one only they know, the short duration exposure of the temporary password provided by the admin (on the phone for example) is acceptable. Good luck. John W. Jordan (JJ) Network and Security Specialist
Current thread:
- secure password communication sfmailsbm (Dec 22)
- Re: secure password communication adeel hussain (Dec 22)
- Re: secure password communication Ansgar Wiechers (Dec 22)
- Re: secure password communication Stephen Thornber (Dec 22)
- Re: secure password communication James Lawrie (Dec 22)
- Re: secure password communication Mitchell Rowton (Dec 22)
- Re: secure password communication Shreyas Zare (Dec 23)
- Re: secure password communication Andre Pawlowski (Dec 23)
- <Possible follow-ups>
- Re: secure password communication dan . crowley (Dec 22)
- Re: secure password communication John Jordan (Dec 23)
- Re: secure password communication dan . crowley (Dec 23)