Blake said:
It is a 'self help' mechanism that our executives have required. You put in
some personal information to "verify" you are who you are and then the
mechanism uses setpassword to give you a new password.
Eeek! And do these executives think that such an adhoc system is
automatically and of necessity more secure in some way than using the
standard password changing facilities built in to Windows? Sounds a bit like
a boss I once had that simply assumed if you could attach a password to
anything, that made it automatically 100% safe and secure.
Under whose account does this 'self-help' mechanism run - under the account
of the person wanting to change his password? If so, and if the account is
actually being used by a different person, what mechanism prevents them from
setting the password in the normal way if they do no know the user's
personal information? if it is the account of a "friend" who is letting a
person use his account to set his own forgotten one, is that not a violation
of standard security policy?
Where is the personal information stored, and how does it get there? If all
accounts have access to the mechanism, would they not also have access to
whatever the personal information was stored in? Even if they could no
decode the information directly, could they not take a complete copy of the
application and run it on a home computer to guess the boss's personal info,
thereby taking control of his account later on?
What about the IT staff in charge of the application? Could they find out
the personal information without it showing up in a security audit trail?
/Al