Password Reset Security

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hey Guys.

OK, at my work, we have very little in the way of password security (and no, im NOT naming the company! lol), think "ive forgotten my password" "thats it reset for you".

Now we're looking into options to increase security, and i was wondering if anyone (looks at phoenix ) can suggest some security methods that could be used.

There has been suggestion of using a security question (like mothers maiden name, etc), but that doesnt really work too much, its just a very basic level of deterrant.

Im going to take a look at BS7799 at some point (security Standard), so that might have an effective technique for password security, but i was wondering if anyone had any suggestions?

Thanks
Fergal

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Retinal Scanners!

Ok, so that's perhaps a bit drastic!

How about passwords that require at least one number and one capital letter in them, and cannot contain the persons name?

 

may be expensive, but biometrics?

 

simple
make them come in to the IT office in person
the place i used to work for was BS7799 certified and we had nothing clever in the way of password reset policies
but if they come in in person, it cant be a social engineering trick (assuming you know who works for you and who doesnt)

 

The problem with that is that we are a central servicedesk, servicing people around the UK, and only servicedesk can reset passwords.

forcing the capital, etc is a good idea, but im more looking at when they forget the password, how we add a level of security to ensure the person is who they say they are.

 

reset the password to the persons DOB?

 

We require our customers to provide 3 pieces of security info before discussing their account. What kind of records for your users available to you that you could cross-check against, Fergal ? I mean, if you could ask NI number, or employers' payroll number, then your off to a flyer...

 

at a former client they used two things. first when a remote user would call to ask for a password reset, the helpdesk procedure was to call back the user on their registered business cell phone. that way chances were high that they were indeed talking to the correct person.
the other thing was that the user would have to supply a pin code, one that the helpdesk could check. the user also would have a so-called holdup code, which was their pin code +1. in case the user was forced to give the pin code, he could supply the holdup code. if the helpdesk would then be given the holdup code, instead of the valid pin code, they would know things were not okay and they would immediately lock the account.

 

Damn that's clever, if somewhat sinister !

 

At present we dont have access to anything but past call logs, and email addresses. Not everyone has mobiles that they use for work use.

hmmm. we are looking at making and populating a list of questions (mothers maiden name), and refusing to change passwords without that authorisation. but it IS only really a deterrant.

Fergal

 

id go with something other than publicly available information, one thing that pisses me off is places that tell me to pick a long password, which i do anyway, but then force me to negate that with a piece of piss security question that can be found in public archives!

 

Good point, Phoenix!

 

of course, the problem with some of this, is you have to bear in mind that it is something the user (if they are not utter morons) will be using this question/PIN far FAR less often than their password.

One option is to allow them to set their own question. This creates diversity, meaning that a hacker would have no idea what question was being asked, and decreases the odds of the answer being readily available. Of course, to be fully effective you would have to NOT ask the question, simply request the answer, but that just comes back to a PIN code/password that a user will forget. DOB is out, since its again (as phoenix points out) public domain.

another comsideration is that a users line manager is permitted to request a password reset, this will mean users maintaining a record in AD of their line managers username, so that if they call, we can revert to their security question for verification, meaning that only the listed person is authorised to make the request.

its all about levels of complexity at the end of the day. Too secure means too complex, which means that its more likely for users to forget what they need to remember. Too simple almost inevitably (at least in this scenario) leads to almost total insecurity.

Fergal

 

AD already has a manager field, so you wont have to do any schema hacking
so thats a good start
you could have it so a manager must request it, but the user is contacted directly with the new password, thus a two person system, which an only be breached if the two are working together
a manager requesting without user consent would need to go via hr for DPA considerations anyway,

so Manager requests
User is contacted, if user has no clue, problem discovered

if manager needs access without user consent, hr makes the initial call, manager is called with new password


off the top of my head, there are likely to be holes in it, but it fits in with your current set up, unless you want to verify managers ID too, but with the dual user authentication that shouldnt be such a big issue
as a manager acting independant of the employee would be found out

 

...or you could just give everyone the same 4 digit password and advise them to write it on a yellow Post-it and stick it to their monitors - VIOLA - who needs security ?

 

remember to laminate the post-it too, otherwise it'll get all smudgy .....

 

how about we change the password daily, and have a big LCD in the reception declaring todays password?

 

Nah, have it outside m8, just in case any of them have lost their pass-keys to get into the building !

 

what a good idea. thats VERY good. might have to suggest that, i see a big fat bonus coming my way.

 

I don't charge TOO much for technical consultancy, Fergal - will send you my invoice,