RE: A question about how to validate a user's request to change a password or unlock there account

From: Doug Wombles (fisdu@hotmail.com)
Date: 08/07/01 

From: "Doug Wombles" <fisdu@hotmail.com>
To: cj_oakwood@yahoo.com, SECURITY-BASICS@SECURITYFOCUS.COM
Subject: RE: A question about how to validate a user's request to change a password or unlock there account
Date: Tue, 07 Aug 2001 16:54:20 -0500
Message-ID: <F11kNassRpjImXJAdku000019b7@hotmail.com>

if you are actually interested in security, the call back isn't that
secure, anyone could be there and answer their phone. The code word isn't a
very good option either. The user can't remember their password how will
they remember a code word? The photo id is the best way to make sure the
correct person is requesting the change to be made. I also like the manager
getting involved, that will make them aware of any issues they might not be
aware of with their employees and training issues that need to be addressed.

later
dw

>From: "CJ Oakwood" <cj_oakwood@yahoo.com>
>To: "'VanMeter, John'" <John.VanMeter@ost.dot.gov>, "'SECURITY-BASICS
>(E-mail)'" <SECURITY-BASICS@SECURITYFOCUS.COM>
>Subject: RE: A question about how to validate a user's request to change a
>password or unlock there account
>Date: Mon, 6 Aug 2001 17:47:08 -0700
>
>You should ask the simple questions, (name, alias, ext, etc...)
>But instead of giving him the new password, give it to his Manager.
>Everybody has somebody above him. I know it is sometime hard for
>employees to talk to there bosses, but if a somebody needs a password
>reset, (especially if they are temp, or contract) the boss should know.
>
>My $0.02
>
>CJ
>
>-----Original Message-----
>From: VanMeter, John [mailto:John.VanMeter@ost.dot.gov]
>Sent: Friday, August 03, 2001 03:32
>To: SECURITY-BASICS (E-mail)
>Subject: A question about how to validate a user's request to change a
>password or unlock there account
>
>
>I would like to ask what every one things about how to validate a user's
>request to change his password. Currently a user calls the helpdesk,
>gives his username and the helpdesk staff will change the password or
>unlock an account. I'm looking for something way to validate the user
>identity without putting undo pressure on anyone.
>
>At work we've talked about requiring the user to come down/up to the
>helpdesk, show a photo id then the account could be unlocked or the
>password changed.
>
>We've also talked about using a call back system, the user would call
>and leave there name with the helpdesk staff, then one of the helpdesk
>tech's would look up that persons phone number call them back, then the
>account could be unlocked or the password changed.
>
>Or we talked about using a code word, the user would call supply a code
>word, the helpdesk tech would look up the word in a database and if the
>correct word was supplied the account could be unlocked or the password
>changed.
>
>What does every one think?
>
>Thank You, Take Care and have fun
>John van Meter
>Win2K System Administrator

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Relevant Pages