Security Basics mailing list archives
Re: Password communication
From: MaddHatter <maddhatt+securitybasics () cat pdx edu>
Date: Fri, 4 Jan 2008 00:30:32 -0800
pepsdiaz_gmail.com said (on 2008/01/03):
... I would like to know which is the best way to communicate the new password when the user block/forgot his password.
Here's what has been done in one environment I'm familiar with: If a user forgets their computer account password, convey the new password through voicemail (which requires a separate PIN to login). If the user forgets their voicemail login, convey the new voicemail PIN via their computer account (email might work, depending on your environment). If the user forgets both, have them answer some predefined secret questions and convey the new password to a trusted agent (a boss/manager, local IT contact, anyone higher up the management chain) who knows the user and can immediately convey the new password to them in a secure manner. If that won't work for some reason, have a trusted agent (IT helpdesk or somesuch) verify the user's identity via government-issued photo ID and hand them a new password. (Obviously this requires both a trusted agent and the user in close physical proximity.) If none of that will work, you're left with little choice but to refuse a password change or rely on something the user knows -- asking them secret questions or setting their password to some combination of HR data that only they are likely to know. Where you draw the line and what controls you put in place for each process is up to you, but maybe it's a couple ideas to get you started. (And of course as others have mentioned, force them to change their authentication credentials the next time they successfully log in.)
Current thread:
- RE: Password communication, (continued)
- RE: Password communication Petter Bruland (Jan 03)
- Re: Password communication Dante Signal31 (Jan 04)
- RE: Password communication Sinha, Amitabh (Amit) (Jan 07)
- RE: Password communication Petter Bruland (Jan 03)
- Re: Password communication Nikhil Wagholikar (Jan 03)
- RE: Password communication Ronny Roethof (Jan 04)
- Re: Password communication mgk.mailing (Jan 04)
- Re: Password communication Gleb Paharenko (Jan 07)
- Re: Password communication Serg B (Jan 07)
- RE: Password communication Worrell, Brian (Jan 08)
- Message not available
- RE: Password communication Worrell, Brian (Jan 08)
- Re: Password communication Gleb Paharenko (Jan 07)
- RE: Password communication Worrell, Brian (Jan 04)