RE: A question about how to validate a user's request to change a password or unlock there account

From: Ken Pfeil (Ken@infosec101.org)
Date: 08/07/01 

From: "Ken Pfeil" <Ken@infosec101.org>
To: "CJ Oakwood" <cj_oakwood@yahoo.com>, "'VanMeter, John'" <John.VanMeter@ost.dot.gov>, "'SECURITY-BASICS (E-mail)'" <SECURITY-BASICS@SECURITYFOCUS.COM>
Subject: RE: A question about how to validate a user's request to change a password or unlock there account
Date: Tue, 7 Aug 2001 12:24:56 -0400
Message-ID: <EKEIJMECHELIFJCAOFHGIEHEDJAA.Ken@infosec101.org>

IMHO, Bad Idea (TM). NO ONE should ever know your password, including the
boss. This flies in the face of every security principle there is.

> -----Original Message-----
> From: CJ Oakwood [mailto:cj_oakwood@yahoo.com]
> Sent: Monday, August 06, 2001 8:47 PM
> To: 'VanMeter, John'; 'SECURITY-BASICS (E-mail)'
> Subject: RE: A question about how to validate a user's request to change
> a password or unlock there account
>
>
>
> You should ask the simple questions, (name, alias, ext, etc...)
> But instead of giving him the new password, give it to his Manager.
> Everybody has somebody above him. I know it is sometime hard for
> employees to talk to there bosses, but if a somebody needs a password
> reset, (especially if they are temp, or contract) the boss should know.
>
> My $0.02
>
> CJ
>
> -----Original Message-----
> From: VanMeter, John [mailto:John.VanMeter@ost.dot.gov]
> Sent: Friday, August 03, 2001 03:32
> To: SECURITY-BASICS (E-mail)
> Subject: A question about how to validate a user's request to change a
> password or unlock there account
>
>
> I would like to ask what every one things about how to validate a user's
> request to change his password. Currently a user calls the helpdesk,
> gives his username and the helpdesk staff will change the password or
> unlock an account. I'm looking for something way to validate the user
> identity without putting undo pressure on anyone.
>
> At work we've talked about requiring the user to come down/up to the
> helpdesk, show a photo id then the account could be unlocked or the
> password changed.
>
> We've also talked about using a call back system, the user would call
> and leave there name with the helpdesk staff, then one of the helpdesk
> tech's would look up that persons phone number call them back, then the
> account could be unlocked or the password changed.
>
> Or we talked about using a code word, the user would call supply a code
> word, the helpdesk tech would look up the word in a database and if the
> correct word was supplied the account could be unlocked or the password
> changed.
>
> What does every one think?
>
> Thank You, Take Care and have fun
> John van Meter
> Win2K System Administrator
>
>
>
> _________________________________________________________ Do You
> Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
>

Relevant Pages
Quantcast