Hello;
I need to automaatically generate and reset passwords for users
(that's a requirement), but I do not know how to send it to them , as
it should be encrypted on the network .
I think email is not secured, as not all users will have encryption on
their Email client (hotmail...).
Any idea how to do that ?
Renaud
In article <1171696278.982057.113520@m58g2000cwm.googlegroups.com>,
>I need to automaatically generate and reset passwords for users
>(that's a requirement), but I do not know how to send it to them , as
>it should be encrypted on the network .
>
>I think email is not secured, as not all users will have encryption on
>their Email client (hotmail...).
>Any idea how to do that ?
Your requirements are internally incompatible. There is *no*
secure way in which to transmit plain-text passwords over an insecure
network. (This is sometimes called "the key distribution problem".)
On 17 f=E9v, 16:49, rober...@hushmail.com (Walter Roberson) wrote:
> In article <1171696278.982057.113...@m58g2000cwm.googlegroups.com>,
>
>
> >I need to automaatically generate and reset passwords for users
> >(that's a requirement), but I do not know how to send it to them , as
> >it should be encrypted on the network .
>
> >I think email is not secured, as not all users will have encryption on
> >their Email client (hotmail...).
> >Any idea how to do that ?
>
> Your requirements are internally incompatible. There is *no*
> secure way in which to transmit plain-text passwords over an insecure
> network. (This is sometimes called "the key distribution problem".)
You are right .
I might use the following approach:
When user is created, an Email will be sent to him
Email will contain a link to a https web page (link will only last 24
hours)
On the web page, he will be prompted to answer a secret question (he
chose the question + answer when creating his account)
If successfull, the page will display the generated password ( he will
have to change it at his first login).
Same procedure if he wants to reset his password.
The only problem I can see is Phishing using a web page that would
look like my web page.
Any comment is welcome :)
In article <1171810534.646272.177110@l53g2000cwa.googlegroups.com>,
>I might use the following approach:
>When user is created, an Email will be sent to him
>Email will contain a link to a https web page (link will only last 24
>hours)
>On the web page, he will be prompted to answer a secret question (he
>chose the question + answer when creating his account)
>If successfull, the page will display the generated password ( he will
>have to change it at his first login).
>Same procedure if he wants to reset his password.
If person X has not yet created an account but is authorized to
have one, then what safeguards exist to prevent person Y from
creating an account in person X's name?
Is all of this happening in an internal network, or over a public
network? If intended as an internal network, recall that email has
a tendancy to get read outside of the internal network, by forwarding
or VPNs or proxies or "webmail" pages. If intended as an internal
network, what degree of trust is there of the users?
Is there a list of authorized users? If not, then how will you prevent
joke accounts or multiple accounts per user?
>The only problem I can see is Phishing using a web page that would
>look like my web page.
Worries about phishing tend to suggest to me that you are planning
to do this over public networks.