RE: A question about how to validate a user's request to change a pas sword or unlock there account
From: Gage, William (william.gage@mtvi.com)Date: 08/20/01
- Previous message: Meritt James: "Re: A question about how to validate a user's request to change apas sword or unlock there account"
- Maybe in reply to: VanMeter, John: "A question about how to validate a user's request to change a pas sword or unlock there account"
- Next in thread: Michael R. White: "RE: A question about how to validate a user's request to change a pas sword or unlock there account"
- Next in thread: Sadler, Connie J: "RE: A question about how to validate a user's request to change a pas sword or unlock there account"
- Reply: Michael R. White: "RE: A question about how to validate a user's request to change a pas sword or unlock there account"
- Reply: Mark L. Jackson: "RE: A question about how to validate a user's request to change a pas sword or unlock there account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Subject: RE: A question about how to validate a user's request to change a pas sword or unlock there account Date: Mon, 20 Aug 2001 14:17:33 -0400 Message-ID: <C74257A0AF4592468AFB05C6E4B9C0FF02C5AD96@MTVINY1.mtvi.com> From: "Gage, William" <william.gage@mtvi.com> To: "Jeff Smith" <JSmith@Dentrix.com>, <mark_l_jackson@iname.com>, "Mietlicki, Michael" <michael.mietlicki@tfn.com>, "VanMeter, John" <John.VanMeter@ost.dot.gov>, "SECURITY-BASICS (E-mail)" <SECURITY-BASICS@securityfocus.com>
those examples of info, while not common knowledge, are
easy enough for malicious people to get from what i hear.
i mean, think of how many forms request that you put your
SSN down on them? SSN's are about as private at this
point as your home address.
i would think you'd really need either the physical presence,
of the user or digital signatures to verify a user's identity.
-w
-----Original Message-----
From: Jeff Smith [mailto:JSmith@Dentrix.com]
Sent: Monday, August 20, 2001 2:00 PM
To: 'mark_l_jackson@iname.com'; Mietlicki, Michael; 'VanMeter, John';
SECURITY-BASICS (E-mail)
Subject: RE: A question about how to validate a user's request to change
a pas sword or unlock there account
Sorry for jumping into the middle of the converstation but what about
this
idea? When a user what to reset the password you reset it to something
that
they should know but is not common knowledge, such as Social Security
number
or home phone number, etc.
-----Original Message-----
From: Mark L. Jackson [mailto:mark_l_jackson@iname.com]
Sent: Wednesday, August 08, 2001 4:59 AM
To: Mietlicki, Michael; 'VanMeter, John'; SECURITY-BASICS (E-mail)
Subject: RE: A question about how to validate a user's request to change
a pas sword or unlock there account
> No NO NO!!! Password policies are set via the server which holds the
user
> database .. usually the PDC. A user calling to "request a
> password change"
> and then specifying the password to be used is called "social
engineering"
If it is not the actual user, yes that is true. He is not talking about
that.
> I would like to ask what every one things about how to validate a
user's
> request to change his password. Currently a user calls the helpdesk,
gives
> his username and the helpdesk staff will change the password or unlock
an
> account. I'm looking for something way to validate the user
> identity without
> putting undo pressure on anyone.
>
> At work we've talked about requiring the user to come down/up to the
> helpdesk, show a photo id then the account could be unlocked or
> the password
> changed.
Depending on size of organization this might be a pain. There are far
better
ways
to do this. Besides this will only infuriate people to the point of
rebellion.
>
> We've also talked about using a call back system, the user would call
and
> leave there name with the helpdesk staff, then one of the helpdesk
tech's
> would look up that persons phone number call them back, then the
account
> could be unlocked or the password changed.
Works only if everyone has an extension, and it is up to date (who will
take
care
of that?). This is very time consuming also. I give it a week before the
complaints take up more time than your regular job duties do.
>
> Or we talked about using a code word, the user would call supply a
code
> word, the helpdesk tech would look up the word in a database and if
the
> correct word was supplied the account could be unlocked or the
password
> changed.
You could also have them answer a question that should be known only to
them. We
require them to give us there employee ID, and then there full name.
Then we
will
1 of 8 predetermined questions which change yearly.
>
> What does every one think?
There are many people who say you should have your people jump through
hoops
to get a new password. I don't agree. Those people tend to be on a power
trip, and
out of touch with reality.
These things should be handled in one call, no more. Perfect security is
non
existent, and a useless pursuit.
- Previous message: Meritt James: "Re: A question about how to validate a user's request to change apas sword or unlock there account"
- Maybe in reply to: VanMeter, John: "A question about how to validate a user's request to change a pas sword or unlock there account"
- Next in thread: Michael R. White: "RE: A question about how to validate a user's request to change a pas sword or unlock there account"
- Next in thread: Sadler, Connie J: "RE: A question about how to validate a user's request to change a pas sword or unlock there account"
- Reply: Michael R. White: "RE: A question about how to validate a user's request to change a pas sword or unlock there account"
- Reply: Mark L. Jackson: "RE: A question about how to validate a user's request to change a pas sword or unlock there account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
