RE: Password communication

["Worrell, Brian" <BWorrell () isdh IN gov>]

Serg,

Not disagreeing at all.  Just thought I would throw that out there, as I saw lots of people saying things like Email a 
link or half the password etc.  Those work, if you can get in.

The 30 min thing is something I have seen a lot of lately.  It works, and I agree on the brute forcing would such in 
time.

Brian

-----Original Message-----
From: Serg B [mailto:sergeslists () gmail com] 
Sent: Tuesday, January 08, 2008 9:12 AM
To: Worrell, Brian
Cc: security-basics
Subject: Re: Password communication

Hi,

I suppose a user could attempt a manual password recovery by flipping the keyboard up-side-down and reading the post-it 
note attached.

If we are talking about passwords, I think there are two options:

(a) If the account has been locked due to multiple incorrect authentication attempts it's a good idea to automatically 
unlock it after a certain time interval, say 30 minutes or something like that.
This will make brute forcing near impossible, eliminate logical DoS attacks and reduce help-desk work load.  However, 
(b) if this is a primary system account (e.g. workstation logon),  I suppose the only way would be to call the help 
desk.  That's the best I can do when talking passwords.

There are technologies that have been mentioned, like smart cards, proximity cards, etc... That would be a different 
kettle of fish all together.


Serg


On Jan 9, 2008 12:56 AM, Worrell, Brian <BWorrell () isdh in gov> wrote:
> If this is a new user, or a user that forgot their password, how can they access their email to get their new 
> password?
>
> Brian
>
> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Serg B
> Sent: Monday, January 07, 2008 5:06 PM
> To: security-basics
> Subject: Re: Password communication
>
> Sending OTP  password over the email should be fine. Like Gleb has mentioned make sure to set flag "change after 
> login" to On and things should be relatively safe; of course password complexity and history policy rules should also 
> be in affect.
>
>    Serg
>
> On Jan 6, 2008 9:08 AM, Gleb Paharenko <gpaharenko () gmail com> wrote:
> > Hi.
> >
> > From my experience, the best is single sign on (SSO) with smart card 
> > authentication. However it is really expensive, especially when you 
> > have a lot of information systems.
> > Quite reasonably from my point of view is rest users password to the 
> > new one with setting flag "change after login" and emailing it to 
> > user. Mail encryption is easily implemented at least with Lotus Notes.
> > There should be implemented password change history, so the password 
> > could not be repeated.
> >
> > 2008/1/4, mgk.mailing <mgk.mailing () googlemail com>:
> > > Hi
> > >
> > > Regarding the pki, i have been following openxpki for a while and 
> > > it has been progressing nicely.  Admitidly at the moment it is in 
> > > development but its free and reasonably stable.  They also have 
> > > setup a live cd for you to try on the site.  I haven't implemented 
> > > it myself at the moment but i would hope to review it again when it goes gold.
> > >
> > > Hope that helps.
> > >
> > >
> > > pepsdiaz () gmail com wrote:
> > > > Dear all,
> > > >
> > > >
> > > >
> > > > We are trying to implement a password policy in our Organization and we have some doubts when distributing the 
> > > > password to all the employees. I would like to know which is the best way to communicate the new password when 
> > > > the user block/forgot his password.
> > > >
> > > >
> > > >
> > > > 1) We don´t want to use an envelope because it takes long time.
> > > >
> > > >
> > > >
> > > > 2) Telephone is insecure, how to authenticate the user?
> > > >
> > > >
> > > >
> > > > 3) email is also insecure...
> > > >
> > > >
> > > >
> > > > 4) PKI... expensive?
> > > >
> > > >
> > > >
> > > > Thanks to all in advance.
> >
> >
> > --
> > Best regards.
> > Gleb Pakharenko.
> > http://gpaharenko.livejournal.com