Security Basics mailing list archives
RE: Changing user password policy
From: "Henry Troup" <HenryT () watchfire com>
Date: Tue, 26 Sep 2006 08:30:05 -0400
OK, you realize that you're potentially asking for something very hard, some might say impossible. You have to trade risks here, and you also have to trade lost productivity for security. First off, you need to engineer a system that allows for the fact that there are always people on vacation or otherwise out of touch for significant periods. You can't do it all in one burst and tear down the change system, you'll need to sustain it for some period going forward. Secondly, is this an emergency? If your system is already compromised, you have to act immediately, and accept a bigger loss of productivity. The last time (at a former employer) I was through this, it was a compromise, and we had a lot of people (5K or so), but a relatively small number of locations. We were able to: * bulk change all the passwords (to random ones that needed to be changed on first use) * personally carry printed lists of passwords to trusted people in each location * make people come to the trusted people and show ID * establish a network of trusted parties for remote verification going forward And, frankly, it killed at least three days of productivity for everyone, and occupied most of IT for the next week. If it's not an emergency, why are you doing this? (Not a rhetorical question.) If you need to impose a stronger password policy, you just turn it on, maybe forcibly expire old passwords. If you need to force a change, but it's not a emergency due to compromise, you could do some kind of two-part remote verification, email out an identifier or better, a link to an identifier generator, and have the conversation on the phone structured around the knowledge of the identifier. Of course, if you have something like an RSA token infrastructure, that can be leveraged for remote verification. Henry Troup Watchfire Corporation Suite 300, 1 Hines Rd. Kanata, ON K2K 3C7 Canada 613-599-3888 x4048 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Lars Solberg Sent: Saturday, September 23, 2006 11:37 To: security-basics () securityfocus com Subject: Changing user password policy Hi list! I was wondering your toughts in changing users password in an enterprise firm, with 10k users. It has to be easy for the user to get a new password, but also secure! The users also have to be verified over the phone. Make the users go somewhere and show ID to get a new password will not work. Soo, what is your toughts about a good solution to this? In front thanks Lars --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Changing user password policy Lars Solberg (Sep 25)
- Re: Changing user password policy Cyber Legionnaire (Sep 26)
- RE: Changing user password policy Paul Sutton (Sep 26)
- RE: Changing user password policy Henry Troup (Sep 26)
- Re: Changing user password policy Hylton Conacher(ZR1HPC) (Sep 27)
- <Possible follow-ups>
- Re: Changing user password policy krymson (Sep 26)
- Re: Changing user password policy Raoul Armfield (Sep 27)
- Re: Changing user password policy Lars Solberg (Sep 29)
- Re: Changing user password policy Raoul Armfield (Sep 27)