Security Basics mailing list archives
RE: Password communication
From: "Ronny Roethof" <ronny () lls-ix nl>
Date: Fri, 4 Jan 2008 01:01:46 +0100
The problem of the OP was not that the company might know the password like in your described situation, But to verify the authenticity of the caller who claims to be the owner of the account. -- Ronny Roethof -----Oorspronkelijk bericht----- Van: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Namens Nikhil Wagholikar Verzonden: donderdag 3 januari 2008 20:36 Aan: security-basics () securityfocus com Onderwerp: Re: Password communication Hello Pepsdiaz, I too agree with Nick Vaernhoej. While reseting the password, make sure you also enable the option "User must change password at next logon". Then communicate the password over phone or in person. As soon as the user logs (login) on for the first time with the previous communicated password, he'll be forced to change the password of his account there and there itself. --- Nikhil Wagholikar Information Security Analyst NII Consulting Web: http://www.niiconsulting.com Security Products: http://www.niiconsulting.com/products.html On 3 Jan 2008 09:09:18 -0000, <pepsdiaz () gmail com> wrote:
Dear all, We are trying to implement a password policy in our Organization and we
have some doubts when distributing the password to all the employees. I would like to know which is the best way to communicate the new password when the user block/forgot his password.
1) We donĀ“t want to use an envelope because it takes long time. 2) Telephone is insecure, how to authenticate the user? 3) email is also insecure... 4) PKI... expensive? Thanks to all in advance.
Current thread:
- Password communication pepsdiaz (Jan 03)
- RE: Password communication Nick Duda (Jan 03)
- RE: Password communication Sam Hansen (Jan 03)
- RE: Password communication Nick Vaernhoej (Jan 03)
- RE: Password communication Petter Bruland (Jan 03)
- Re: Password communication Dante Signal31 (Jan 04)
- RE: Password communication Sinha, Amitabh (Amit) (Jan 07)
- RE: Password communication Petter Bruland (Jan 03)
- Re: Password communication Nikhil Wagholikar (Jan 03)
- RE: Password communication Ronny Roethof (Jan 04)
- Re: Password communication mgk.mailing (Jan 04)
- Re: Password communication Gleb Paharenko (Jan 07)
- Re: Password communication Serg B (Jan 07)
- RE: Password communication Worrell, Brian (Jan 08)
- Message not available
- RE: Password communication Worrell, Brian (Jan 08)
- Re: Password communication Gleb Paharenko (Jan 07)
- RE: Password communication Nick Duda (Jan 03)
- RE: Password communication Worrell, Brian (Jan 04)
- <Possible follow-ups>
- Re: RE: Password communication rjflyguy (Jan 04)
- Re: RE: Password communication gbigras (Jan 04)