RE: Password communication

["Worrell, Brian" <BWorrell () isdh IN gov>]

The last company I worked for rolled out a password self service
application, and what we did was setup a webpage.  The new employee
during orientation was required to login via that webpage, and setup
everything.  We gave them the username and then the PIN to this
software.  The upside was the PIN was hand delivered and they had to be
on the "inside" network to access this site.  Once they completed it
all, which did require some fields and questions to be answered by the
end user, they setup their password.

Down side was we had lots of Citrix only devices, so later on we had to
publish the app on the Wyse devices for users to go to, when they forgot
their password. 

After all this was done, I do not think we had anyone call due to a
forgotten password again.

As for voicemail, that's a whole other issue.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of MaddHatter
Sent: Friday, January 04, 2008 3:31 AM
To: pepsdiaz () gmail com
Cc: security-basics () securityfocus com
Subject: Re: Password communication

pepsdiaz_gmail.com said (on 2008/01/03):
> ... I would like to know which is the best way to communicate the new
password when the user block/forgot his password.


Here's what has been done in one environment I'm familiar with:

If a user forgets their computer account password, convey the new
password through voicemail (which requires a separate PIN to login). If
the user forgets their voicemail login, convey the new voicemail PIN via
their computer account (email might work, depending on your
environment). If the user forgets both, have them answer some predefined
secret questions and convey the new password to a trusted agent (a
boss/manager, local IT contact, anyone higher up the management chain)
who knows the user and can immediately convey the new password to them
in a secure manner.

If that won't work for some reason, have a trusted agent (IT helpdesk or
somesuch) verify the user's identity via government-issued photo ID and
hand them a new password. (Obviously this requires both a trusted agent
and the user in close physical proximity.)

If none of that will work, you're left with little choice but to refuse
a password change or rely on something the user knows -- asking them
secret questions or setting their password to some combination of HR
data that only they are likely to know. 

Where you draw the line and what controls you put in place for each
process is up to you, but maybe it's a couple ideas to get you started.
(And of course as others have mentioned, force them to change their
authentication credentials the next time they successfully log in.)