RE: A question about how to validate a user's request to change a pas sword or unlock there account

From: Jeff Smith (JSmith@Dentrix.com)
Date: 08/20/01 

Message-ID: <14A4DCD7F3CED3118749009027DCBFE4024A9B2D@exchange.dentrix.com>
From: Jeff Smith <JSmith@Dentrix.com>
To: "'mark_l_jackson@iname.com'" <mark_l_jackson@iname.com>, "Mietlicki, Michael" <michael.mietlicki@tfn.com>, "'VanMeter, John'" <John.VanMeter@ost.dot.gov>, "SECURITY-BASICS (E-mail)" <SECURITY-BASICS@securityfocus.com>
Subject: RE: A question about how to validate a user's request to change a pas sword or unlock there account
Date: Mon, 20 Aug 2001 12:00:10 -0600

Sorry for jumping into the middle of the converstation but what about this
idea? When a user what to reset the password you reset it to something that
they should know but is not common knowledge, such as Social Security number
or home phone number, etc.

-----Original Message-----
From: Mark L. Jackson [mailto:mark_l_jackson@iname.com]
Sent: Wednesday, August 08, 2001 4:59 AM
To: Mietlicki, Michael; 'VanMeter, John'; SECURITY-BASICS (E-mail)
Subject: RE: A question about how to validate a user's request to change
a pas sword or unlock there account

> No NO NO!!! Password policies are set via the server which holds the user
> database .. usually the PDC. A user calling to "request a
> password change"
> and then specifying the password to be used is called "social engineering"

If it is not the actual user, yes that is true. He is not talking about
that.

> I would like to ask what every one things about how to validate a user's
> request to change his password. Currently a user calls the helpdesk, gives
> his username and the helpdesk staff will change the password or unlock an
> account. I'm looking for something way to validate the user
> identity without
> putting undo pressure on anyone.
>
> At work we've talked about requiring the user to come down/up to the
> helpdesk, show a photo id then the account could be unlocked or
> the password
> changed.

Depending on size of organization this might be a pain. There are far better
ways
to do this. Besides this will only infuriate people to the point of
rebellion.

>
> We've also talked about using a call back system, the user would call and
> leave there name with the helpdesk staff, then one of the helpdesk tech's
> would look up that persons phone number call them back, then the account
> could be unlocked or the password changed.

Works only if everyone has an extension, and it is up to date (who will take
care
of that?). This is very time consuming also. I give it a week before the
complaints take up more time than your regular job duties do.

>
> Or we talked about using a code word, the user would call supply a code
> word, the helpdesk tech would look up the word in a database and if the
> correct word was supplied the account could be unlocked or the password
> changed.

You could also have them answer a question that should be known only to
them. We
require them to give us there employee ID, and then there full name. Then we
will
1 of 8 predetermined questions which change yearly.

>
> What does every one think?

There are many people who say you should have your people jump through hoops
to get a new password. I don't agree. Those people tend to be on a power
trip, and
out of touch with reality.

These things should be handled in one call, no more. Perfect security is non
existent, and a useless pursuit.

Relevant Pages