Security Basics mailing list archives
Re: Changing user password policy
From: "Hylton Conacher(ZR1HPC)" <hylton () conacher co za>
Date: Tue, 26 Sep 2006 16:06:52 +0200
Lars Solberg wrote:
Hi list!
Hi Lars,
Does this have to be an automted system or will the new passwords be assigned by someone ie you?I was wondering your toughts in changing users password in an enterprise firm, with 10k users. It has to be easy for the user to get a new password, but also secure! The users also have to be verified over the phone.Make the users go somewhere and show ID to get a new password will not work.
What does each user have that you can use to authenticate the user?I would think that each employee has a telephone extention and an ID number or social security number. They also work in departments with other staff members. Each person has a unique NIC MAC address.
For the manual method of password generation and assuming the above and your requirements makes the job fairly simple.
User A calls from extention 1234.Password administrator Confirms that the company records show that the correct person is calling from the correct extention number.
Password administrator then 'net sends' them a message or character string and asks them to tell him what a certain chracter is.
That combined with the MAC address of the person's PC, the telephone extention number and the repeating of a character sent to the requestors PC, would enable you to validate the person and provide them with a new password telephonically.
What it does not stop is someone else sitting at the PC and changing the password so it should be company policy that all workstations left unattended MUST be locked so that a password specific to a user is required to unlock them.
If the process is to be automatic, I am sure the above process could be customised or scripted so that the person could visit a web page to change their password. The machine on the network requesting the password change could be authenticated, perhaps via MAC address, but the person operating the machine could still be in doubt. As the person cannot be verified it is imperative that unattended workstations be locked.
These are my thoughts which I hope provide some insight. Remember that you need to confirm that the person telephoning or using the machine is the correct allowed person.
Regards Hylton --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Changing user password policy Lars Solberg (Sep 25)
- Re: Changing user password policy Cyber Legionnaire (Sep 26)
- RE: Changing user password policy Paul Sutton (Sep 26)
- RE: Changing user password policy Henry Troup (Sep 26)
- Re: Changing user password policy Hylton Conacher(ZR1HPC) (Sep 27)
- <Possible follow-ups>
- Re: Changing user password policy krymson (Sep 26)
- Re: Changing user password policy Raoul Armfield (Sep 27)
- Re: Changing user password policy Lars Solberg (Sep 29)
- Re: Changing user password policy Raoul Armfield (Sep 27)