Re: A question about how to validate a user's request to change a password or unlock there account

From: Meritt James (meritt_james@bah.com)
Date: 08/08/01 

Message-ID: <3B7184CF.DC5DAC02@bah.com>
Date: Wed, 08 Aug 2001 14:28:31 -0400
From: "Meritt James" <meritt_james@bah.com>
To: Doug Wombles <fisdu@hotmail.com>
Subject: Re: A question about how to validate a user's request to change a  password or unlock there account

Phone phreaks have defeated that call-back trick for years. It misses
foolproof by a long shot, but it is better than nothing.

Doug Wombles wrote:
>
> if you are actually interested in security, the call back isn't that
> secure, anyone could be there and answer their phone. The code word isn't a
> very good option either. The user can't remember their password how will
> they remember a code word? The photo id is the best way to make sure the
> correct person is requesting the change to be made. I also like the manager
> getting involved, that will make them aware of any issues they might not be
> aware of with their employees and training issues that need to be addressed.
>
> later
> dw
>
> >From: "CJ Oakwood" <cj_oakwood@yahoo.com>
> >To: "'VanMeter, John'" <John.VanMeter@ost.dot.gov>, "'SECURITY-BASICS
> >(E-mail)'" <SECURITY-BASICS@SECURITYFOCUS.COM>
> >Subject: RE: A question about how to validate a user's request to change a
> >password or unlock there account
> >Date: Mon, 6 Aug 2001 17:47:08 -0700
> >
> >You should ask the simple questions, (name, alias, ext, etc...)
> >But instead of giving him the new password, give it to his Manager.
> >Everybody has somebody above him. I know it is sometime hard for
> >employees to talk to there bosses, but if a somebody needs a password
> >reset, (especially if they are temp, or contract) the boss should know.
> >
> >My $0.02
> >
> >CJ
> >
> >-----Original Message-----
> >From: VanMeter, John [mailto:John.VanMeter@ost.dot.gov]
> >Sent: Friday, August 03, 2001 03:32
> >To: SECURITY-BASICS (E-mail)
> >Subject: A question about how to validate a user's request to change a
> >password or unlock there account
> >
> >
> >I would like to ask what every one things about how to validate a user's
> >request to change his password. Currently a user calls the helpdesk,
> >gives his username and the helpdesk staff will change the password or
> >unlock an account. I'm looking for something way to validate the user
> >identity without putting undo pressure on anyone.
> >
> >At work we've talked about requiring the user to come down/up to the
> >helpdesk, show a photo id then the account could be unlocked or the
> >password changed.
> >
> >We've also talked about using a call back system, the user would call
> >and leave there name with the helpdesk staff, then one of the helpdesk
> >tech's would look up that persons phone number call them back, then the
> >account could be unlocked or the password changed.
> >
> >Or we talked about using a code word, the user would call supply a code
> >word, the helpdesk tech would look up the word in a database and if the
> >correct word was supplied the account could be unlocked or the password
> >changed.
> >
> >What does every one think?
> >
> >Thank You, Take Care and have fun
> >John van Meter
> >Win2K System Administrator
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp 

-- 
James W. Meritt, CISSP, CISA
Booz, Allen & Hamilton
phone: (410) 684-6566

Relevant Pages
Quantcast