On Saturday, July 7, 2012 at 2:05pm, Andy Smith wrote:
Hello,Today a customer popped up on IRC saying that they had broken theirVPS and couldn't remember their account details in order to use theconsole / rescue VM.Unfortunately they had also at some point in the past disabledemail password reset, so they were unable to regain access.My concern at that point was that since they had previously disabledemail password reset they were obviously security-conscious, so Idid not feel comfortable resetting their password and giving it outto them over IRC.Of course, I could see that the customer's service was down asclaimed, which did lend weight to the story and meant that I couldnot just ignore the issue.In the end I asked the person on IRC to send me a photo or scan of autility bill bearing their name and address as present in BitFolk'scustomer database, and on receipt of that I did reset theirpassword.If it had been you in the customer's position would you haveconsidered that reasonable?If you have disabled email password reset, are you comfortable withthis being circumvented by someone who is able to present aconvincing image of a utility bill to support@bitfolk.com?Perhaps you can offer some guidelines for how this should be dealtwith in future so that there can be a consistent response.Suggestions revolving around the customer identifying themselvesusing public key crypto (PGP keys, SSH keys) are fine but do bear inmind that most customers have not presented either a PGP nor SSH keyto me, and that would have to be done before it was actually needed.I could require that an SSH and/or PGP key be uploaded to the panelbefore the panel allows you to disable email password resets, thoughthere would still need to be a plan in place for the inevitable casewhere the customer claims to no longer have access to any of thekeys they have uploaded.Cheers,Andy--http://bitfolk.com/ -- No-nonsense VPS hosting_______________________________________________users mailing list