Date: 12 July 2002 To: I0001089 EXTERNAL From: John Hanson GBSAFE00 SFWY2-3, atrium SW
Subject: RE: Methods for distributing passwor Problem with this solution alone is the potential breach of segregation of duties. ie: where high value/risk activities are controlled by having employees only Requisition a change and Supervisors only Authorise. Giving employee password to Supervisor allows them to Requisition as well without the risk of involving the employee in collusion. -------------------------------------------------------------------------- Date: July 12, 2002 From: Burton M. Strauss III {SMTP:[EMAIL PROTECTED] - EXTERNAL To: [EMAIL PROTECTED] - cc: [EMAIL PROTECTED] - Subject: RE: Methods for distributing password change info to disconn ------------------------------------------------------------ One way to do this is to push it out to the direct supervisor. I.e. user x calls in, you perform some validation and then send the new password (securely) to their direct supervisor. User then has to contact the supervisor to retrieve the new password. Which, of course, you then force them to change. It tends to make people remember password (or write them down, but that's another issue), since there is nothing quite like calling your boss and giving him/her a brass plated opportunity to remind you how stupid you are. Besides, that's the one individual in the organization who probably CAN reliably id somebody. -----Burton -----Original Message----- From: Led Slinger {mailto:[EMAIL PROTECTED]} Sent: Thursday, July 11, 2002 10:24 AM To: [EMAIL PROTECTED] Subject: Methods for distributing password change info to disconnected users Looking to see if anyone has a new and unique trick for distributing passwords to users that request to have their password reset remotely. I am basically referring to Enterprise Directory passwords. We have many users in many locations around the globe and it is not practical to hand carry every password to a user when she/he forgets theirs. Since Email is tied to ED as well, we cannot provide the password through that system and the fact that not all of our sales force and consultants have voicemail, it makes it difficult to distribute it to them that way as well. We have a 24x7 Call Center but then you run into the problem of trying to authenticate voices over the phone. and with 7000+ possible voices probably not feasible either. We've thought about obscure web links that are one time use but it comes right back to authenticating the individual that is calling. We've even considered using some type of token device with the thought that providing them a password over the phone would be fairly safe if the corporate authentication were two-factor, but if I copped a briefcase with the business cards and token inside, I could probably devise a social engineering plot to get in. Am I simply trying to hard to cover every conceivable issue that MAY arise or is there a better, cheaper, and equally effective plan out there. Thanks in advance for any help you can provide Leds! -- There's nothing wrong with Windows until you install it........ John Hanson Information Security **************************************************************************** * Unencrypted electronic mail is not secure and may not be authentic. * * If you have any doubts as to the contents please telephone to confirm. * * The information contained in this message is confidential and is * * intended for the addressee(s) only. If you have received this message in * * error or there are any problems, please notify the originator * * immediately. The unauthorised use, disclosure, copying or alteration of * * this message is strictly forbidden. Opinions, conclusions and other * * information expressed in this message are not given or endorsed by * * Safeway unless otherwise indicated by an authorised representative * * independent of this message. * ****************************************************************************