I recall this being given at an MS Office 97 presentation for one
possible reason to post employees pictures to an intranet, although this
assumes face to face contact.
I guess a check of last login and password change date * might * catch
someone just trying to get someone else's password reset. I give users
temporary passwords, and try to provide it via some secure means,
preferably by phone. I like the call back idea. If I have to use email,
I always end with, "now hit delete", although I hope that the temporary
is short lived. Of course, if I can have the user present to set their
password when their id is created, so they can just type it in, that
helps. As for choosing temporary passwords when setting up new users who
may not login immediately, I free associate, until I come up with
something that is too distant from normalness to be easily guessable.
Sometimes, these aren't even words. I've only had one user ever say
anything about their temporary password. And I am going after some
admins who have a pattern to the throwaways they give users. I have been
able to find users with temporary passwords, and log in as them. One of
these was system manager. Not good. OTOH, I have argued with an admin
here about security on one system, and he has told me that users have
acted like their id and (unchanged original) password was some big
secret. For some of these users, finding out that most of the people
here were set up that way, and never changed their password, would be a
revelation, and could actually compromise current security, such as it
is, while they force users to change their password.
Now, can't account managers reset normal user passwords? That might
encourage people to be more careful, if they had to ask their boss to
reset their password for them.
There are bigger threats to security, and even password security than
this. Someone gave me some application notes they were using, and I
found another user's id and password written in them, which I promptly
expired, and then setup that someone up as a new user. And I get to hear
constant complaints about expiring passwords. The worst is NetWare
users, who watch five messages telling them that they have one less
grace login, then call me when they have none. I usually give them one
more grace login and a lesson on changing their password. The funniest
is walking someone thru logging in on the 3K over the phone, hearing
them type their first choice of new password, then grunt and mumble as
they find out that they can't use their user name or whatever as a
password. I wish I knew a better way to prevent other guessable
passwords under SEC/3K than adding them to BADPASS.AUDITDAT.VESOFT.
OTOH, I wish I had the text of an English dictionary to add to BADPASS.
Speaking of free association, I'll go off the deep end here and list
some non-word password ideas that I have used, in the hope of providing
useful information, and eliciting more or better ideas. Like most of us,
I have to keep track of a number of passwords, and keeping them
memorable but not guessable is an adventure. When allowed greater than
eight chars, I like some phrase, preferably not a cliche. One password
here is fifteen chars; that would take a bit to get by brute force. I
often combine two small words totaling eight chars, for MPE passwords
used by more than one person. Someone pointed out using numbers as
substitutes for letters, in otherwise normal words: 0 for o, 1 for i or
l, 3 for e, 4 for h, 6 for b, 9 for p or q, even @ for a on some
systems. I will use strange passwords that I had to memorize on systems
from a past job, or previous co-worker's unusual last names, or OS
commands or utilities (but not for the system in question).
|
