RE: Changing user password policy

["Henry Troup" <HenryT () watchfire com>]

OK, you realize that you're potentially asking for something very hard,
some might say impossible.  You have to trade risks here, and you also
have to trade lost productivity for security.

First off, you need to engineer a system that allows for the fact that
there are always people on vacation or otherwise out of touch for
significant periods.  You can't do it all in one burst and tear down the
change system, you'll need to sustain it for some period going forward.

Secondly, is this an emergency?  If your system is already compromised,
you have to act immediately, and accept a bigger loss of productivity.

The last time (at a former employer) I was through this, it was a
compromise, and we had a lot of people (5K or so), but a relatively
small number of locations.  We were able to:

* bulk change all the passwords (to random ones that needed to be
changed on first use)
* personally carry printed lists of passwords to trusted people in each
location
* make people come to the trusted people and show ID
* establish a network of trusted parties for remote verification going
forward

And, frankly, it killed at least three days of productivity for
everyone, and occupied most of IT for the next week.

If it's not an emergency, why are you doing this?  (Not a rhetorical
question.)  If you need to impose a stronger password policy, you just
turn it on, maybe forcibly expire old passwords.

If you need to force a change, but it's not a emergency due to
compromise, you could do some kind of two-part remote verification,
email out an identifier or better, a link to an identifier generator,
and have the conversation on the phone structured around the knowledge
of the identifier.  Of course, if you have something like an RSA token
infrastructure, that can be leveraged for remote verification.

Henry Troup
Watchfire Corporation
Suite 300, 1 Hines Rd.
Kanata, ON K2K 3C7 Canada
613-599-3888 x4048




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Lars Solberg
Sent: Saturday, September 23, 2006 11:37
To: security-basics () securityfocus com
Subject: Changing user password policy

Hi list!

I was wondering your toughts in changing users password in an enterprise
firm, with 10k users.
It has to be easy for the user to get a new password, but also secure!
The users also have to be verified over the phone.
Make the users go somewhere and show ID to get a new password will not
work.

Soo, what is your toughts about a good solution to this?


In front thanks
  Lars

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------