RE: [AuditPrograms-L] - Password resetting

[Mervin Pearce]

Title: Message

As a consultant would answer.... It depends! (Usually on consulting time billable ;-))   Depend on the size of the 'shop', if the users are personally known to the administrator it would be low risk for a password reset to be done over the phone.  As part of an audit report this is not best practice and can be highlighted as a finding.  If passwords are used as the only authentication mechanism, we can assume that the information we are trying to protect is lower classified that 'secret'.  If it was secret we would have used tokens or some other physical method of authentication assistance.   Another recommendation that you can do due to high password 'change-requests' is to define a level of incompetence and recommend simple awareness training.  This means if the user forgot his password say four times during the last quarter, he/she has to sit through company introductory information security awareness training irrespective of how many year his service.  In practical experience from a 29,000 user company we had 3000 users 'forgetting their passwords a month, which came down to about 500 a month after the 'awareness training' came into effect.   Some companies leaves the password only on voicemail system within the telephone system.  You need a PIN to extract your voice messages.  Very neat!  Another idea is to have a SMS gateway to you mobile phone and SMS the password to your cell/mobile phone, also very effective as now a password _change_ does have 'something you have' as well.   On the phone you can have a personal database about the user which you can use to verify.  This can be captured during the employment process.  When a user would like to have his password changed, he has to answer questions like...   - What is you mother's maiden name? - What is your brother's dog name etc   Additional compensating controls are key here. Best Regards Mervin Pearce (CISA, CISSP) Security Audit and Control Solutions http://www.sacs.co.za mailto:[EMAIL PROTECTED] Tel: +27-11-913-0041 Fax: +27-11-896-1323 Mobile: +27-83-255-5356 Download the latest training booklet http://www.sacs.co.za/Download/SACSTraining.pdf -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ortiz, Benjamin Vincent G. Sent: 26 April 2002 02:38 To: [EMAIL PROTECTED] Subject: [AuditPrograms-L] - Password resetting Hi,   I was wondering if anyone can tell me what the best practices are for password resetting?   I'm currently auditing our E-mail system & procedures. I found that a lot of our sales people keep forgetting their e-mail account passwords and calls the Administrator directly. The Admin resets the account and gives the new password over the phone. Isn't this a "risky" procedure?   I've recommended calling their supervisors first so that the burden of verifying the identity of the caller is put on a more reliable person than the Admin. The sup informs the Admin, the Admin resets the account and gives the password to the sup, the sup then relays the password to his staff. This recom has met some resistance from the users. What do you guys think?   Benj Ortiz Internal Audit Dept. Petron Corporation 38/F Petron MegaPlaza Bldg. 358 Sen. Gil Puyat Ave. Makati City 1200 Philippines (632) 886-3888 loc. 3830