Security Basics mailing list archives

Re: Password communication

From: "Serg B" <sergeslists () gmail com>
Date: Tue, 8 Jan 2008 09:06:25 +1100

Sending OTP  password over the email should be fine. Like Gleb has
mentioned make sure to set flag "change after login" to On and things
should be relatively safe; of course password complexity and history
policy rules should also be in affect.

   Serg

On Jan 6, 2008 9:08 AM, Gleb Paharenko <gpaharenko () gmail com> wrote:

Hi.

From my experience, the best is single sign on (SSO) with smart card
authentication. However it is really expensive, especially when you
have a lot of information systems.
Quite reasonably from my point of view is rest users password to the
new one with
setting flag "change after login" and emailing it to user. Mail
encryption is easily implemented at least with Lotus Notes. There
should be implemented password change history, so the password could
not be repeated.

2008/1/4, mgk.mailing <mgk.mailing () googlemail com>:


Hi

Regarding the pki, i have been following openxpki for a while and it has
been progressing nicely.  Admitidly at the moment it is in development
but its free and reasonably stable.  They also have setup a live cd for
you to try on the site.  I haven't implemented it myself at the moment
but i would hope to review it again when it goes gold.

Hope that helps.


pepsdiaz () gmail com wrote:

Dear all,



We are trying to implement a password policy in our Organization and we have some doubts when distributing the 
password to all the employees. I would like to know which is the best way to communicate the new password when 
the user block/forgot his password.



1) We don´t want to use an envelope because it takes long time.



2) Telephone is insecure, how to authenticate the user?



3) email is also insecure...



4) PKI... expensive?



Thanks to all in advance.



--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com

Current thread:

RE: Password communication, (continued)
- RE: Password communication Nick Duda (Jan 03)
  - RE: Password communication Sam Hansen (Jan 03)
- RE: Password communication Nick Vaernhoej (Jan 03)
  - RE: Password communication Petter Bruland (Jan 03)
    - Re: Password communication Dante Signal31 (Jan 04)
  - RE: Password communication Sinha, Amitabh (Amit) (Jan 07)
- Re: Password communication Nikhil Wagholikar (Jan 03)
  - RE: Password communication Ronny Roethof (Jan 04)
- Re: Password communication mgk.mailing (Jan 04)
  - Re: Password communication Gleb Paharenko (Jan 07)
    - Re: Password communication Serg B (Jan 07)
    - RE: Password communication Worrell, Brian (Jan 08)
    - Message not available
    - RE: Password communication Worrell, Brian (Jan 08)
- Re: Password communication MaddHatter (Jan 04)
  - RE: Password communication Worrell, Brian (Jan 04)
- RE: Password communication Bill Lavalette (Jan 04)
- Re: RE: Password communication rjflyguy (Jan 04)
- Re: RE: Password communication gbigras (Jan 04)