Self Service Password Solutions
Results 1 to 9 of 9

Thread: Self Service Password Solutions

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    Self Service Password Solutions

    Background
    ================
    I'm currently tasked with evaluating several self service password solutions. For those who don't know what this is, the software is in place so that users can reset/retrieve/change passwords without creating a helpdesk ticket or phone call. As an example, see the courion website: http://www.courion.com

    Feedback Wanted
    ================
    Now, I'm well aware of the security implications so please don't tell me why they are good or bad. I'm simply after input from anyone who is currently using a self service password solution. More specifically, has it reduced helpdesk calls, has the response by end users been positive, has it gotten banged up by auditors, does it integrate well with LDAP, AD, etc.. And finally, which solution are you using?

    Thanks in advance.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Not really an answer to your question...

    But from my experience....users reset their password...and then forget what they set it too... far too many times

    and I get the call..they have been locked out...etc...and they cant remeber what they set it to...

    which in a way would then generate a help desk ticket...

    But...may reduce it...eventually

    cause....there cant be that many lusers out there...

    can there

    Really?

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,250
    Well Tried Citrix password manager a while back. Helpdesk calls did not decrease, just changed.

    "hello helpdesk? How do I reset my password"? And the added points of failure increased help desk actavity for the first few months.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  4. #4
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    We ended up writing our own because it has to mesh with openLDAP and AD at the same time. It's written in PHP and the user must authenticate to the centralized kerberos system before being allowed in to our system. With a user base of 6,000+ users anually we have 0 helpdesk calls unless the backend has a problem.

    Other solutions people are using are the Microsoft Identity Integration Server
    http://www.microsoft.com/windowsserv...3/default.mspx

    Sun Identity Management -can't remember the name..but it works really well from what I'm told.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  5. #5
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    742
    We used one, forgive me for fogetting the name, but it was a mess it didn't integrate very well when you went to input your information there were no problems but when it came time to actually reset the password it would hose up and not respond or not reset the password correctly.

    In relation to your Auditor question, i just asked a couple of different auditors about methodology for reseting passwords and they gave me 2 answers... First was their opinion but they couldnt use that, Passwords as we all know need to be kept secure but because of all the privacy acts and nonsense BS you are limited to what you can actually ask someone, you can't ask for SSN or Employee ID because they are either private or employee ID's are too easily taken and thats the same for addresses etc. In the end he said they couldn't look too closely at it or ding us because of those issues.

    The truely only secure way to do it is to physically meet the person but that is a whole different thread.
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  6. #6
    Junior Member
    Join Date
    Oct 2005
    Posts
    1
    While it may be more convenient for you [help desk, right?] I have found that some users will use your new system to retrieve passwords of other users in the network. If your network has more than 150 users it may be hard to catch the malicious users. Then again if you are able to find a way to catch the malicious users using some kind of backfire program/software that allows only certain passwords to be forwarded to certain computers/networks than you can root out some of your valuable information of both your employees and your company's. You should consider these factors. {note: Be careful though the REAL malicious users in your network will probably be aware of this and find away around this and will mess with your system. Very costly in both time and money.}

    ----------------C2X----------------------
    (2><

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Well, I'm not the helpdesk but the requirements state that there cannot be an increase in helpdesk tickets if we decide to go with a solution.

    Here is how I see it working:

    1) End user hits an SSL page and fills out his/her choice of 5 questions, omitting SS and things on the same level of sensitivity.

    2) When they need their password, they revisit the site and answer three of the questions presented at random. If they fail 3 times, an auto generated message gets dispatched to the top of the help desk queue. If they enter the responses correctly, the system generates a PGP signed e-mail to them. Now, all of our end users have a single click sign/encrypt verify/decrypt button in their mail client. This is setup the first day they are on the job.

    I've heard mixed reports that people have more trouble setting up their self serve page than they do remembering their passwords. Again, if anyone has specific details on this in particular, it would be most useful to me.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    742
    out of curiousity... if they forgot their password how are they going to login to get their password from their email?? Am I missing something or did you accidentally overlook that?
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Login passwords are different than e-mail account passwords. The biggest issue we run into now is when people forget their PGP password but that's another issue.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •