How do sysadmins respond when users forget their passwords in large shops
where it's impossible for you to know all of the users personally?

I don't want to trust direct phone calls from users because I've never met
most of them and wouldn't be able to recognize their voices.  Person A could
call and say "I'm Person B and I forgot my password", and I'd have no way of
knowing that they're not really Person B.

On the theory that it's better than nothing, I require a FAX signed by the
amnesiac person's supervisor to be sent to our Help Desk first.  But that's
really no more secure than a phone call, because we don't have handwriting
samples on file, and wouldn't be able to verify the supervisor signature
anyway.  However, it is somewhat more intimidating than a simple phone call,
and it leaves a paper trail, which are both things that might help to deter
somebody intent on committing mischief.

In no case will I ever reveal what a password is.  If you forgot your password,
I will assign a new random password to the login.  This way if somebody were
attempting to steal a login, the true owner would phone when their old password
suddenly stopped working (I have no evidence that such a theft has ever
happened).  Another benefit is the detection of multiple users sharing the
same login, something we strongly frown upon here.  The true owner forgets the
password, it is changed, and then the sharers phone in.  This has happened
multiple times.

I'd be interested in hearing how other sites deal with this issue.  E-mail me
privately if you'd rather not discuss this publicly on HP3000-L.  Thanks.

Mark "wishing for fingerprint scanners on every desktop" Bixby
--
Mark Bixby                      E-mail: [log in to unmask]
Coast Community College Dist.   Web: http://www.cccd.edu/~markb/
District Information Services   1370 Adams Ave, Costa Mesa, CA, USA 92626-5429
Technical Support               Voice: +1 714 438-4647
"You can tune a file system, but you can't tune a fish." - tunefs(1M)