Date: 12 July 2002
To: I0001089 EXTERNAL
From: John Hanson GBSAFE00 SFWY2-3, atrium SW
Subject: RE: Methods for distributing passwor
Problem with this solution alone is the potential breach of segregation
of duties. ie: where high value/risk activities are controlled by having
employees only Requisition a change and Supervisors only Authorise.
Giving employee password to Supervisor allows them to Requisition as well
without the risk of involving the employee in collusion.
--------------------------------------------------------------------------
Date: July 12, 2002
From: Burton M. Strauss III {SMTP:[EMAIL PROTECTED] -
EXTERNAL
To: [EMAIL PROTECTED] -
cc: [EMAIL PROTECTED] -
Subject: RE: Methods for distributing password change info to disconn
------------------------------------------------------------
One way to do this is to push it out to the direct supervisor.
I.e. user x calls in, you perform some validation and then send the new
password (securely) to their direct supervisor.
User then has to contact the supervisor to retrieve the new password.
Which, of course, you then force them to change.
It tends to make people remember password (or write them down, but that's
another issue), since there is nothing quite like calling your boss and
giving him/her a brass plated opportunity to remind you how stupid you are.
Besides, that's the one individual in the organization who probably CAN
reliably id somebody.
-----Burton
-----Original Message-----
From: Led Slinger {mailto:[EMAIL PROTECTED]}
Sent: Thursday, July 11, 2002 10:24 AM
To: [EMAIL PROTECTED]
Subject: Methods for distributing password change info to disconnected
users
Looking to see if anyone has a new and unique trick for distributing
passwords to users that request to have their password reset remotely.
I am basically referring to Enterprise Directory passwords. We have
many users in many locations around the globe and it is not practical to
hand carry every password to a user when she/he forgets theirs. Since
Email is tied to ED as well, we cannot provide the password through that
system and the fact that not all of our sales force and consultants have
voicemail, it makes it difficult to distribute it to them that way as
well. We have a 24x7 Call Center but then you run into the problem of
trying to authenticate voices over the phone. and with 7000+ possible
voices probably not feasible either. We've thought about obscure web
links that are one time use but it comes right back to authenticating
the individual that is calling. We've even considered using some type
of token device with the thought that providing them a password over the
phone would be fairly safe if the corporate authentication were
two-factor, but if I copped a briefcase with the business cards and
token inside, I could probably devise a social engineering plot to get
in. Am I simply trying to hard to cover every conceivable issue that
MAY arise or is there a better, cheaper, and equally effective plan out
there.
Thanks in advance for any help you can provide
Leds!
--
There's nothing wrong with Windows until you install it........
John Hanson
Information Security
****************************************************************************
* Unencrypted electronic mail is not secure and may not be authentic. *
* If you have any doubts as to the contents please telephone to confirm. *
* The information contained in this message is confidential and is *
* intended for the addressee(s) only. If you have received this message in *
* error or there are any problems, please notify the originator *
* immediately. The unauthorised use, disclosure, copying or alteration of *
* this message is strictly forbidden. Opinions, conclusions and other *
* information expressed in this message are not given or endorsed by *
* Safeway unless otherwise indicated by an authorised representative *
* independent of this message. *
****************************************************************************
