Security Basics mailing list archives
Re: Changing user password policy
From: "Lars Solberg" <sunberg () gmail com>
Date: Fri, 29 Sep 2006 10:45:28 +0200
Hi Thanks for all the good answers! Its not an emergency, I just wonder if there are any "good" ways of doing this with good security. The point is that helpdesk receive a telephone call and then the user can change their password over the phone. I try to find a way to do this more secure.. The users are using more than one computer so I cant verify them by their MAC. Its the password to log into the system so I cant send them an net send eighter. The system have caller ID but the users are almost always calling from other phones. An possibility could be to force a group of users to use one specific phone. Anyway, it seams that password hints is the best solution and we are thinking of using that... Thanks again! Lars On 9/27/06, Raoul Armfield <armfield () amnh org> wrote:
Another option is simply to set the PwdLastSet attribute to 0 this will force everyone to change their password. If you also set Password complexity rules before you do this, it will force everyone to use a complex password. Raoul krymson () gmail com wrote: > This is just scary. While I won't ask you to share it if you can't, just keep in mind the reason why you may need to do this. If you can phase it, for instance, do 1,000 people a day so that you can avoid swamping your help desk with the phone calls, that is better than doing all 10,000 out of the blue. > > Definitely alert people well in advance that this will be happening. > > If this is something you can do over the course of 30 days and have them trickle in slowly, just force everyone to make a new password next time them log in. After a month or two, audit the accounts for any that simply have not rebooted in a month. Then make this a permanent policy. > > Since you need to get a new password to users but need to verify them over the phone, that kinda implies your help desk will need to contact the user, not the other way around (I could call in and ask for John Doe's password, unless you call me back...). And since you'll already have them on the phone, you may as well distribute the passwords that way. Help desk sets a quick password, user logs in, and is forced to change password so help desk no longer knows it. > > As a last ditch effort if you have to do this tomorrow, I would suggest tonight changing everyone's password to something random, and make them call the help desk in the morning. The help desk can verify the user, change the password, set it to require a new password on next logon, and get the user back in and working...but be prepared for 10K users calling in that morning. Also, be prepared for people not having logged off and finding some network services don't work because their password is changed and now their account is locked out. :) > > --------------------------------------------------------------------------- > This list is sponsored by: Norwich University > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE > The NSA has designated Norwich University a center of Academic Excellence > in Information Security. Our program offers unparalleled Infosec management > education and the case study affords you unmatched consulting experience. > Using interactive e-Learning technology, you can earn this esteemed degree, > without disrupting your career or home life. > > http://www.msia.norwich.edu/secfocus > --------------------------------------------------------------------------- > > -- Raoul Armfield rarmfield at amnh dot org --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Changing user password policy Lars Solberg (Sep 25)
- Re: Changing user password policy Cyber Legionnaire (Sep 26)
- RE: Changing user password policy Paul Sutton (Sep 26)
- RE: Changing user password policy Henry Troup (Sep 26)
- Re: Changing user password policy Hylton Conacher(ZR1HPC) (Sep 27)
- <Possible follow-ups>
- Re: Changing user password policy krymson (Sep 26)
- Re: Changing user password policy Raoul Armfield (Sep 27)
- Re: Changing user password policy Lars Solberg (Sep 29)
- Re: Changing user password policy Raoul Armfield (Sep 27)