1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password Reset Security

Discussion in 'Computer Security' started by Fergal1982, Oct 20, 2005.

  1. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    Hey Guys.

    OK, at my work, we have very little in the way of password security (and no, im NOT naming the company! lol), think "ive forgotten my password" "thats it reset for you".

    Now we're looking into options to increase security, and i was wondering if anyone (looks at phoenix :biggrin ) can suggest some security methods that could be used.

    There has been suggestion of using a security question (like mothers maiden name, etc), but that doesnt really work too much, its just a very basic level of deterrant.

    Im going to take a look at BS7799 at some point (security Standard), so that might have an effective technique for password security, but i was wondering if anyone had any suggestions?

    Thanks
    Fergal
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  2. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    Retinal Scanners!

    Ok, so that's perhaps a bit drastic! :blink

    How about passwords that require at least one number and one capital letter in them, and cannot contain the persons name?
     
  3. moominboy

    moominboy Gigabyte Poster

    may be expensive, but biometrics?
     
    Certifications: ECDL
    WIP: A+
  4. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    simple
    make them come in to the IT office in person
    the place i used to work for was BS7799 certified and we had nothing clever in the way of password reset policies
    but if they come in in person, it cant be a social engineering trick (assuming you know who works for you and who doesnt)
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  5. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    The problem with that is that we are a central servicedesk, servicing people around the UK, and only servicedesk can reset passwords.

    forcing the capital, etc is a good idea, but im more looking at when they forget the password, how we add a level of security to ensure the person is who they say they are.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  6. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,199
    125
    199
    reset the password to the persons DOB?

    8)
     
  7. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    We require our customers to provide 3 pieces of security info before discussing their account. What kind of records for your users available to you that you could cross-check against, Fergal ? I mean, if you could ask NI number, or employers' payroll number, then your off to a flyer...
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  8. d-Faktor
    Honorary Member

    d-Faktor R.I.P - gone but never forgotten.

    810
    0
    39
    at a former client they used two things. first when a remote user would call to ask for a password reset, the helpdesk procedure was to call back the user on their registered business cell phone. that way chances were high that they were indeed talking to the correct person.
    the other thing was that the user would have to supply a pin code, one that the helpdesk could check. the user also would have a so-called holdup code, which was their pin code +1. in case the user was forced to give the pin code, he could supply the holdup code. if the helpdesk would then be given the holdup code, instead of the valid pin code, they would know things were not okay and they would immediately lock the account.
     
  9. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    Damn that's clever, if somewhat sinister !
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  10. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    At present we dont have access to anything but past call logs, and email addresses. Not everyone has mobiles that they use for work use.

    hmmm. we are looking at making and populating a list of questions (mothers maiden name), and refusing to change passwords without that authorisation. but it IS only really a deterrant.

    Fergal
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  11. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    id go with something other than publicly available information, one thing that pisses me off is places that tell me to pick a long password, which i do anyway, but then force me to negate that with a piece of piss security question that can be found in public archives!
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  12. Veteran's son

    Veteran's son Megabyte Poster

    915
    2
    55
    Good point, Phoenix! :)
     
    Certifications: A+
    WIP: N+
  13. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    of course, the problem with some of this, is you have to bear in mind that it is something the user (if they are not utter morons) will be using this question/PIN far FAR less often than their password.

    One option is to allow them to set their own question. This creates diversity, meaning that a hacker would have no idea what question was being asked, and decreases the odds of the answer being readily available. Of course, to be fully effective you would have to NOT ask the question, simply request the answer, but that just comes back to a PIN code/password that a user will forget. DOB is out, since its again (as phoenix points out) public domain.

    another comsideration is that a users line manager is permitted to request a password reset, this will mean users maintaining a record in AD of their line managers username, so that if they call, we can revert to their security question for verification, meaning that only the listed person is authorised to make the request.

    its all about levels of complexity at the end of the day. Too secure means too complex, which means that its more likely for users to forget what they need to remember. Too simple almost inevitably (at least in this scenario) leads to almost total insecurity.

    Fergal
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  14. Phoenix
    Honorary Member

    Phoenix 53656e696f7220 4d6f64

    5,726
    175
    221
    AD already has a manager field, so you wont have to do any schema hacking
    so thats a good start
    you could have it so a manager must request it, but the user is contacted directly with the new password, thus a two person system, which an only be breached if the two are working together
    a manager requesting without user consent would need to go via hr for DPA considerations anyway,

    so Manager requests
    User is contacted, if user has no clue, problem discovered

    if manager needs access without user consent, hr makes the initial call, manager is called with new password


    off the top of my head, there are likely to be holes in it, but it fits in with your current set up, unless you want to verify managers ID too, but with the dual user authentication that shouldnt be such a big issue
    as a manager acting independant of the employee would be found out
     
    Certifications: MCSE, MCITP, VCP
    WIP: > 0
  15. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    ...or you could just give everyone the same 4 digit password and advise them to write it on a yellow Post-it and stick it to their monitors - VIOLA - who needs security ? :rolleyes:
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  16. moominboy

    moominboy Gigabyte Poster


    remember to laminate the post-it too, otherwise it'll get all smudgy .....
     
    Certifications: ECDL
    WIP: A+
  17. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    how about we change the password daily, and have a big LCD in the reception declaring todays password?
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  18. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    Nah, have it outside m8, just in case any of them have lost their pass-keys to get into the building !
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  19. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    what a good idea. thats VERY good. might have to suggest that, i see a big fat bonus coming my way.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  20. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,915
    60
    229
    I don't charge TOO much for technical consultancy, Fergal - will send you my invoice,
     
    Certifications: MCP, A+, Network+
    WIP: Clarity

Share This Page

Loading...