RE: Password communication

["Sinha, Amitabh (Amit)" <Amit.Sinha () lsi com>]

Use your phone audix capabilities. When a user calls for password reset have the helpdesk leave the temporary password 
on their office phone and send an informational email that their password was reset (without specifying the temp 
password) as per their phone request. A valid user will retrieve their temporary password by accessing the audix for 
which they would have to enter their audix/voicemail password.

Best of Luck,

Amit Sinha
MS Computer Science (INFOSEC)
Global WAN & IT Security
LSI Corporation




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of pepsdiaz () gmail com
Sent: Thursday, January 03, 2008 3:09 AM
To: security-basics () securityfocus com
Subject: Password communication

Dear all,

 

We are trying to implement a password policy in our Organization and we have some doubts when distributing the password 
to all the employees. I would like to know which is the best way to communicate the new password when the user 
block/forgot his password. 

 

1) We don´t want to use an envelope because it takes long time.

 

2) Telephone is insecure, how to authenticate the user?

 

3) email is also insecure...

 

4) PKI... expensive?

 

Thanks to all in advance.


This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, 
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby 
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in 
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please 
notify the sender that this message was received in error and then delete this message.
Thank you.