General discussion

Locked

Help!! I forgot my password!!

By Mike Emeigh ·
This question is directed primarily to Net ADMINS FOR networks that connect multiple sites, where they have little face-to-face contact with their user base:

Suppose you receive a request to reset a password from a user who claims to have forgotten his password. What procedures and policies do you have in place to ensure that the person making the request is actually the user?

-- MWE

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Help!! I forgot my password!!

by Marty_R In reply to Help!! I forgot my passwo ...

Mike,

Looking for the "politically correct" answer to cut and paste into a manual or the "common sense" answer to live with and hopefully not compromise your network in the process? After 16 years of Sys Admin work in various corporate, military, etc. environments, I have yet to see something on paper that will cover the subject to everyone's satisfaction. When in doubt, use common sense, listen to the user(s), notice voice (uncomfortable, rushed, etc.), DO NOT JUMP ONTO A KEYBOARD to perform "your magic"! Take information regarding user id, phone number, etc. and defer problem to another admin -however, if you ARE the only admin, explain that you are in the middle of an extremely important project, meeting, resolution to a network problem (whatever, to buy some time and slow the process down a little). This activity allows you to think through some things; what kind of activity has been going on on your network? What do the log files say about the last days activity (providing that they aren't compromised already!), did you see anything strange in your daily check of your servers? Do you need to get together with another Sys Admin and review the above questions? COMMON SENSE!! Build it into your "daily" routine and sometimes it even starts to make sense after a while. Hope this rambling helps - Good Luck in your endevour :&gt

Collapse -

Help!! I forgot my password!!

by Mike Emeigh In reply to Help!! I forgot my passwo ...

Poster rated this answer

Collapse -

Help!! I forgot my password!!

by purple713 In reply to Help!! I forgot my passwo ...

To answer your question:
Here are some procedures that I follow:

1. Ask for the user name
2. Extension of the phone
3. Room Number
4. Ask for his director's name (if the user stumbles, you know that something is wrong.) Explain to the user that is for security measures

5. Call the person's Director to see if that user is in fact in the office. (Always helps.)

Collapse -

Help!! I forgot my password!!

by Mike Emeigh In reply to Help!! I forgot my passwo ...

Poster rated this answer

Collapse -

Help!! I forgot my password!!

by Mike Emeigh In reply to Help!! I forgot my passwo ...

To Marty R:

I am looking for a "common sense" answer. I'm really more interested in what others are really doing, rather than anything that might be "politically correct" but isn't likely to be followed in practiuce.

Collapse -

Help!! I forgot my password!!

by mfitch In reply to Help!! I forgot my passwo ...

I've gotten flack for trying to implement here (it worked great at my last company), but requiring the user's supervisor to authorize the reset via email serves to both authenticate the request AND deters the users from making multiple stupid mistakes with there passwords.

It may also alert the area supervisor to possible security compromises in their area.

One day....

Collapse -

Help!! I forgot my password!!

by Mike Emeigh In reply to Help!! I forgot my passwo ...

Poster rated this answer

Collapse -

Help!! I forgot my password!!

by rachel_s In reply to Help!! I forgot my passwo ...

Mike -

Read an article once (here I think?) that discusses this topic. You could implement security cards and readers (expensive and can be lost) or have the person come and show you thier ID (yeah right!). They suggest getting information about the user and leaving the password on the person's voice mail - (most likely they haven't forgotten that password!). Hopefully all the users have a phone and don't write the phone mail password on or by their phones (like here!).
-Rachel

Collapse -

Help!! I forgot my password!!

by Mike Emeigh In reply to Help!! I forgot my passwo ...

Poster rated this answer

Collapse -

Help!! I forgot my password!!

by JasonTik In reply to Help!! I forgot my passwo ...

Send the password to their e-mail address

Back to Security Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums