RE: Password communication

["Ronny Roethof" <ronny () lls-ix nl>]

The problem of the OP was not that the company might know the password like
in your described situation,
But to verify the authenticity of the caller who claims to be the owner of
the account.

-- 
Ronny Roethof


-----Oorspronkelijk bericht-----
Van: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
Namens Nikhil Wagholikar
Verzonden: donderdag 3 januari 2008 20:36
Aan: security-basics () securityfocus com
Onderwerp: Re: Password communication

Hello Pepsdiaz,

I too agree with Nick Vaernhoej.

While reseting the password, make sure you also enable the option
"User must change password at next logon". Then communicate the
password over phone or in person. As soon as the user logs (login) on
for the first time with the previous communicated password, he'll be
forced to change the password of his account there and there itself.

---
Nikhil Wagholikar
Information Security Analyst
NII Consulting
Web: http://www.niiconsulting.com
Security Products: http://www.niiconsulting.com/products.html



On 3 Jan 2008 09:09:18 -0000, <pepsdiaz () gmail com> wrote:
> Dear all,
>
>
>
> We are trying to implement a password policy in our Organization and we
have some doubts when distributing the password to all the employees. I
would like to know which is the best way to communicate the new password
when the user block/forgot his password.
> 1) We don´t want to use an envelope because it takes long time.
>
>
>
> 2) Telephone is insecure, how to authenticate the user?
>
>
>
> 3) email is also insecure...
>
>
>
> 4) PKI... expensive?
>
>
>
> Thanks to all in advance.