RE: [AuditPrograms-L] - Password resetting

[Kaplan, Jim]

Check the following for best practices in passwords:   www.more.net/security/password.html www.psynch.com/docs/best_practices.html   From Harvard IA Department   Password Practices The conscientious management of password practices and selection is a key element of current information security. Passwords are keys controlling system access, and because today's distributed computing environments are increasingly interconnected (networked), password protection is in everyone's best interest. With sophisticated password cracking programs available freely to anyone, and our data and systems available on networks, adopting and abiding by secure password procedures has become a vital and shared computer responsibility. The compromise of any single computer system or account through the revelation or theft of a single password can place whole communities of data in jeopardy. Train Users on choosing a password that has a minimum length of eight characters and is comprised of letters, numbers and/or special characters. Require users to change their passwords periodically to minimize exposure of a compromised password. -----Original Message----- From: Ortiz, Benjamin Vincent G. [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 8:38 PM To: [EMAIL PROTECTED] Subject: [AuditPrograms-L] - Password resetting Hi,   I was wondering if anyone can tell me what the best practices are for password resetting?   I'm currently auditing our E-mail system & procedures. I found that a lot of our sales people keep forgetting their e-mail account passwords and calls the Administrator directly. The Admin resets the account and gives the new password over the phone. Isn't this a "risky" procedure?   I've recommended calling their supervisors first so that the burden of verifying the identity of the caller is put on a more reliable person than the Admin. The sup informs the Admin, the Admin resets the account and gives the password to the sup, the sup then relays the password to his staff. This recom has met some resistance from the users. What do you guys think?   Benj Ortiz Internal Audit Dept. Petron Corporation 38/F Petron MegaPlaza Bldg. 358 Sen. Gil Puyat Ave. Makati City 1200 Philippines (632) 886-3888 loc. 3830