Security Basics mailing list archives
RE: Password communication
From: "Petter Bruland" <pbruland () fcglv com>
Date: Thu, 3 Jan 2008 11:58:08 -0800
How big of a company are we talking about here? Last time we had to have people change passwords outside the regular 90 days change, we divided the org into a few smaller groups, and walked around. Now we're only 188 here, so that's not hard, but if we're talking several sites and hundreds of employees, I don't see anything negative about using the phone. Also the "Change password after login" isn't going to help this situation, as if the wrong person gets the temp password, he/she will just change that to something else upon login. Wish we had the $$ for RSA or some two factor authentication, as that seems easier on the end users, rather than trying to explain why their password can't be "MONDAY" etc -Petter -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej Sent: Thursday, January 03, 2008 10:06 AM To: security-basics () securityfocus com Subject: RE: Password communication Good day, I don't agree that the phone is insecure. If you set up the policy so it enforces the user to create a new password on first login then you can give the password over the phone and the user will change it right away. Nick Vaernhoej "Quidquid latine dictum sit, altum sonatur." -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of pepsdiaz () gmail com Sent: Thursday, January 03, 2008 3:09 AM To: security-basics () securityfocus com Subject: Password communication Dear all, We are trying to implement a password policy in our Organization and we have some doubts when distributing the password to all the employees. I would like to know which is the best way to communicate the new password when the user block/forgot his password. 1) We donĀ“t want to use an envelope because it takes long time. 2) Telephone is insecure, how to authenticate the user? 3) email is also insecure... 4) PKI... expensive? Thanks to all in advance. This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message. Thank you.
Current thread:
- Password communication pepsdiaz (Jan 03)
- RE: Password communication Nick Duda (Jan 03)
- RE: Password communication Sam Hansen (Jan 03)
- RE: Password communication Nick Vaernhoej (Jan 03)
- RE: Password communication Petter Bruland (Jan 03)
- Re: Password communication Dante Signal31 (Jan 04)
- RE: Password communication Sinha, Amitabh (Amit) (Jan 07)
- RE: Password communication Petter Bruland (Jan 03)
- Re: Password communication Nikhil Wagholikar (Jan 03)
- RE: Password communication Ronny Roethof (Jan 04)
- Re: Password communication mgk.mailing (Jan 04)
- Re: Password communication Gleb Paharenko (Jan 07)
- Re: Password communication Serg B (Jan 07)
- RE: Password communication Worrell, Brian (Jan 08)
- Message not available
- RE: Password communication Worrell, Brian (Jan 08)
- Re: Password communication Gleb Paharenko (Jan 07)
- RE: Password communication Nick Duda (Jan 03)