Re: How to tell a user their password?

From: Yuval Kashtan (yuvalkashtan_at_gmail.com)
Date: 10/30/04

  • Next message: Gregory W Zill: "Re: Squid + ????" 
    Date: 30 Oct 2004 03:57:29 -0700

    "Colin B." <cbigam@somewhereelse.nucleus.com> wrote in message news:<41783624_2@news.nucleus.com>...
    > In comp.security.unix Western Larch <larix_occidentalis@yahoo.com> wrote:
    > > Hi,
    > >
    > > What's considered good practice about telling users
    > > their passwords? Any kind of a scheme that involves
    > > writing it down or saying it out loud has the potential
    > > (if you're paranoid -- ha ha, only serious) for
    > > looking over the shoulder or eavesdropping.
    > >
    > > Are there schemes for revealing passwords such that
    > > even if the password is compromised, the effect is
    > > harmless?
    >
    > Give them a default password, expire it immediately, and force them to
    > change it on the spot.

    For the complete paranoid, the above solution contains inherent
    compromising risk: no matter how you tell the users their new expiring
    password, someone might overhear it and use it before they do.

    The solution is to do password reset in front of the people and let
    them choose their new password on the spot. In this manner, the
    password is saved in their brain and in the computer (hopefully the
    computer system knows how to protect the password well, otherwise the
    whole process is worthless), which is the best solution I can think
    about.

    If you're really paranoid and want to avoid the possibility of the
    resetting (who ever is responsible to reset passwords) from knowing
    the password (he can look at the keyboard and know what was typed) you
    can connect 2 keyboards to the computer and make sure they sit in
    front of each other in such a way that the keyboards are hidden.

    Another problem that has to be dealt is that this officer can reset
    passwords and now one will know (until the user will complains about
    it). The solution is to monitor all user and password related
    activities to a 3rd people whose sole responsibility is monitoring
    (preferably by some central console mechanisms). This of course might
    raise the risk that the 2 people will group together. But if you
    choose the right people for these 2 jobs, the risk is minimal.

    Extreme paranoia costs…

  • Next message: Gregory W Zill: "Re: Squid + ????"

    Relevant Pages

    • Re: How to tell a user their password?
      ... Any kind of a scheme that involves ... The solution is to do password reset in front of the people and let ... front of each other in such a way that the keyboards are hidden. ... raise the risk that the 2 people will group together. ...
      (comp.security.misc)
    • Re: Themes & Colors
      ... Had problems with the cursor disappearing etc. App was ... the XP Color Scheme to Silver with Themes enabled? ... If I can then I will change the scheme and reset. ...
      (microsoft.public.fox.programmer.exchange)
    • Re: lost vs debugger keyboard shortcuts
      ... Reset applies the scheme that is selected in the dropdown to the left. ... You can either try a different keyboard layout, ... Also tried restarting VS and restarting box. ...
      (microsoft.public.vsnet.debugging)
    • Automatic sorting of data
      ... I think you can use this scheme with two files (both open, ... Disclaimer: Use at your own risk. ... HTH, ...
      (microsoft.public.excel.worksheet.functions)
    • Re: Scheme closures
      ... (define reset #f) ... > Scheme solution must provide no other access to the `state' variable. ... > how a Scheme expert would translate the above code. ...
      (comp.lang.lisp)