Re: Password communication

[MaddHatter <maddhatt+securitybasics () cat pdx edu>]

pepsdiaz_gmail.com said (on 2008/01/03):
> ... I would like to know which is the best way to communicate the new password when the user block/forgot his 
> password.


Here's what has been done in one environment I'm familiar with:

If a user forgets their computer account password, convey the new password
through voicemail (which requires a separate PIN to login). If the user
forgets their voicemail login, convey the new voicemail PIN via their
computer account (email might work, depending on your environment). If
the user forgets both, have them answer some predefined secret questions
and convey the new password to a trusted agent (a boss/manager, local IT
contact, anyone higher up the management chain) who knows the user and
can immediately convey the new password to them in a secure manner.

If that won't work for some reason, have a trusted agent (IT helpdesk or
somesuch) verify the user's identity via government-issued photo ID and
hand them a new password. (Obviously this requires both a trusted agent
and the user in close physical proximity.)

If none of that will work, you're left with little choice but to refuse a
password change or rely on something the user knows -- asking them secret
questions or setting their password to some combination of HR data that
only they are likely to know. 

Where you draw the line and what controls you put in place for each process
is up to you, but maybe it's a couple ideas to get you started. (And of
course as others have mentioned, force them to change their authentication
credentials the next time they successfully log in.)