RE: Password communication

["Petter Bruland" <pbruland () fcglv com>]

How big of a company are we talking about here?

Last time we had to have people change passwords outside the regular 90 days change, we divided the org into a few 
smaller groups, and walked around. Now we're only 188 here, so that's not hard, but if we're talking several sites and 
hundreds of employees, I don't see anything negative about using the phone.

Also the "Change password after login" isn't going to help this situation, as if the wrong person gets the temp 
password, he/she will just change that to something else upon login.

Wish we had the $$ for RSA or some two factor authentication, as that seems easier on the end users, rather than trying 
to explain why their password can't be "MONDAY" etc


-Petter

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej
Sent: Thursday, January 03, 2008 10:06 AM
To: security-basics () securityfocus com
Subject: RE: Password communication

Good day,

I don't agree that the phone is insecure.
If you set up the policy so it enforces the user to create a new password on first login then you can give the password 
over the phone and the user will change it right away.

Nick Vaernhoej
"Quidquid latine dictum sit, altum sonatur."


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of pepsdiaz () gmail com
Sent: Thursday, January 03, 2008 3:09 AM
To: security-basics () securityfocus com
Subject: Password communication

Dear all,

 

We are trying to implement a password policy in our Organization and we have some doubts when distributing the password 
to all the employees. I would like to know which is the best way to communicate the new password when the user 
block/forgot his password. 

 

1) We don´t want to use an envelope because it takes long time.

 

2) Telephone is insecure, how to authenticate the user?

 

3) email is also insecure...

 

4) PKI... expensive?

 

Thanks to all in advance.


This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.