RE: A question about how to validate a user's request to change a pas sword or unlock there account

From: Jeff Smith (JSmith@Dentrix.com)
Date: 08/20/01 

Message-ID: <14A4DCD7F3CED3118749009027DCBFE4024A9B2E@exchange.dentrix.com>
From: Jeff Smith <JSmith@Dentrix.com>
To: 'Meritt James' <meritt_james@bah.com>
Subject: RE: A question about how to validate a user's request to change a pas  sword or unlock there account
Date: Mon, 20 Aug 2001 12:32:08 -0600

        There is always going to be a way to social engineer when peple are
involved. Even photo ID's can be forged. I guess you could do genetic
testing but then you have a slight chance of someone being "close". I know
this is extreme and if you need that level of security great.
        The way I handle it is I know evryone in the company (about 350
people so not too many). If someone want to change their password they ask
me I put in a temporary password and when they login it ask them to change
it (that way I don't know their password). If the person has access to
sensitive information then I make them jump through more hoops. This is
more to make them realize how important their account is. If it is a temp
then the immediate supervisor must request the password change. On an
enterprise level I don't think there would be a good solution. Maybe forget
you password we forget to pay you. ;)

-----Original Message-----
From: Meritt James [mailto:meritt_james@bah.com]
Sent: Monday, August 20, 2001 12:11 PM
To: Jeff Smith
Cc: 'mark_l_jackson@iname.com'; Mietlicki Michael; 'VanMeter John';
SECURITY-BASICS (E-mail)
Subject: Re: A question about how to validate a user's request to change
apas sword or unlock there account

Asking for publicly available information - which should be on-hand for
almost any social engineering - is a bad idea...

V/R

Jim

Jeff Smith wrote:
>
> Sorry for jumping into the middle of the converstation but what about this
> idea? When a user what to reset the password you reset it to something
that
> they should know but is not common knowledge, such as Social Security
number
> or home phone number, etc.
>
> -----Original Message-----
> From: Mark L. Jackson [mailto:mark_l_jackson@iname.com]
> Sent: Wednesday, August 08, 2001 4:59 AM
> To: Mietlicki, Michael; 'VanMeter, John'; SECURITY-BASICS (E-mail)
> Subject: RE: A question about how to validate a user's request to change
> a pas sword or unlock there account
>
> > No NO NO!!! Password policies are set via the server which holds the
user
> > database .. usually the PDC. A user calling to "request a
> > password change"
> > and then specifying the password to be used is called "social
engineering"
>
> If it is not the actual user, yes that is true. He is not talking about
> that.
>
> > I would like to ask what every one things about how to validate a user's
> > request to change his password. Currently a user calls the helpdesk,
gives
> > his username and the helpdesk staff will change the password or unlock
an
> > account. I'm looking for something way to validate the user
> > identity without
> > putting undo pressure on anyone.
> >
> > At work we've talked about requiring the user to come down/up to the
> > helpdesk, show a photo id then the account could be unlocked or
> > the password
> > changed.
>
> Depending on size of organization this might be a pain. There are far
better
> ways
> to do this. Besides this will only infuriate people to the point of
> rebellion.
>
> >
> > We've also talked about using a call back system, the user would call
and
> > leave there name with the helpdesk staff, then one of the helpdesk
tech's
> > would look up that persons phone number call them back, then the account
> > could be unlocked or the password changed.
>
> Works only if everyone has an extension, and it is up to date (who will
take
> care
> of that?). This is very time consuming also. I give it a week before the
> complaints take up more time than your regular job duties do.
>
> >
> > Or we talked about using a code word, the user would call supply a code
> > word, the helpdesk tech would look up the word in a database and if the
> > correct word was supplied the account could be unlocked or the password
> > changed.
>
> You could also have them answer a question that should be known only to
> them. We
> require them to give us there employee ID, and then there full name. Then
we
> will
> 1 of 8 predetermined questions which change yearly.
>
> >
> > What does every one think?
>
> There are many people who say you should have your people jump through
hoops
> to get a new password. I don't agree. Those people tend to be on a power
> trip, and
> out of touch with reality.
>
> These things should be handled in one call, no more. Perfect security is
non
> existent, and a useless pursuit. 

-- 
James W. Meritt, CISSP, CISA
Booz, Allen & Hamilton
phone: (410) 684-6566

Relevant Pages