RE: Password communication

["Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>]

Good day,

I don't agree that the phone is insecure.
If you set up the policy so it enforces the user to create a new password on first login then you can give the password 
over the phone and the user will change it right away.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of pepsdiaz () gmail com
Sent: Thursday, January 03, 2008 3:09 AM
To: security-basics () securityfocus com
Subject: Password communication

Dear all,



We are trying to implement a password policy in our Organization and we have some doubts when distributing the password 
to all the employees. I would like to know which is the best way to communicate the new password when the user 
block/forgot his password.



1) We don´t want to use an envelope because it takes long time.



2) Telephone is insecure, how to authenticate the user?



3) email is also insecure...



4) PKI... expensive?



Thanks to all in advance.


This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.