Password Recovery Policy

Discussion in 'Computer Security' started by Fergal1982, Dec 15, 2006.

  1. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    We're currently reviewing our password recovery policy to determine the best way to verify a user if they require a password reset.

    The obvious solution that comes to mind is to have them set a question and answer, and ask them to answer it if they need it reset. But theres a couple of scenarios that need considered for this. Most importantly, how do we proceed in the event that they answer their own question wrong?

    How does your work operate with password recovery? do they use this system? if so how do they get around the above issue? Or do you use a completely different system thats more secure?

    If you have any suggestions on the best way to operate a system like this id be more than happy to hear them. Im concerned that this system may not really be all that secure.

    Cheers,
    Fergal
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  2. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Hi Fergal,

    Where I work there isn't that many staff and we all know each other, so it isn't an issue.

    I know someone who manages offices that are networked together and he uses the date of birth as a security measure (he is at a different site).

    No excuses with that one - if you don't know your own birthday, you ain't having your password reset.

    Si
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  3. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    172
    211
    i have major issues with that, or mothers maiden name, etc, since these are public domain and can be easily accessed if you know how.

    The other concern is that i dont think they want IT to have access to that information.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  4. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    5,373
    89
    190
    my one the Security managers were thinking about applying this policy...

    the questions would of been iirc were:

    1 - DOB

    2 - Nearest bus stop (you had to name the road)

    3 - Name of your first pet/school

    The question would of be asked on email, but when you submit your reply it would go through a secure page and have an id for your account (yes, someone could look at what your typing), but these question would change every 28 days.

    the questions were given to by the helpdesk when the users asking for some any sort of security issue...
     
  5. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    What about the first half of their NI number followed by their DOB and house number or name at the end?

    Again, this would depend on the IT department having access to the HR side of things.

    Si
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  6. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    I manage a ticketing system at work, and my rule about this is that any addition or change for a user has to be countersigned by the manager for that section.

    Thus I only have to know the managers, and this reduces the number of people I need to recognize from over a hundred to about 8!

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  7. Baba O'Riley

    Baba O'Riley Gigabyte Poster

    1,760
    23
    99
    We used to have this problem but we've just rolled out a new piece of software. The first time a user logs on after it's installed, they have to enter three questions and corresponding answers. The software adds a "forgot password" box to the Windows log on dialogue, if they've forgotten their password they have to answer the three questions and then they can enter a new password. If they get the questions wrong three times on the trot they get locked out and then we have to unlock them. As you can imagine, it's significantly cut down the number of calls we get of this type. I think it only cost us about £2000 to license the entire office (about 1000 users). I'm not at work until next year now, but if anyone's interested, I'll email work to find out what it's called because I've forgotten.:oops:
     
    Certifications: A+, Network+
    WIP: 70-270
  8. steveh2001

    steveh2001 Byte Poster

    204
    3
    22
    Old thread i know - but our policy at work is that we need an email from a users colleague to do any password reset. If any issues arrise from the reset - the liability would then rest on the colleague.
     
    Certifications: A+,N+,CommVault,MCSA/MCSE 2003,VCP 4.1.
    WIP: ?
  9. GW

    GW Byte Poster

    119
    4
    39
    When I worked on a Naval base on the Helpdesk what was setup for password resets was that the person get in contact with their departments IT contact (there was two per department) and that person sends an e-mail to the Helpdesk and then follows up with a phone call to the Helpdesk.

    This way out of the thousand+ users on the base there was about 30 people that I had to know.

    GW
     
    Certifications: MCP x4, CompTia x3
    WIP: Cisco CCNA

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.