If at least 35% of companies don’t authenticate users with a password reset call – what is then at risk?

Passwords cause data breaches

With the European Union’s decision on the General Data Protection Regulation (GDPR) Act, compliance has gone to the top of IT priority. If companies have a breach of data or don’t report data breaches within 72 hours they can be fined up to 4% of annual revenue! According to GDPR, companies have to identify critical data and map out who have access.

IDC has in February 2017 released a Technology Spotlight on GDPR and password compliance processes. It documents specifically how GDPR emphasizes protection and authentication of the personal data. Several articles and paragraphs defines how lack of authentication can lead to data breaches. A data breach must be reported within 72 hours to the authorities and is a violation of GDPR.

IDC refers to research showing that 63% of all known data breaches are caused by password problems.

According to a Service Desk Institute survey 35% of organizations don’t have a clear authentication process for their password service. The remaining 65% have a process but not necessarily a strong process. Get the report

Best practices for security

IDC argues strongly that present state of user authentication in service desks doesn’t live up to the demands for a secure process. IDC refers to requirements issued by official organizations demanding a 2-persons’ process: A person with privileges and a person knowing the end-user asking for the password.

Alternatively, a password self-service solution with clear authentication process will be compliant (if it is WEB-application secure!). No matter how good the self-service implementation is, some users will however sometimes call the service desk anyway.

It is very difficult to monitor and make a manual process compliant, so as part of the right password process, the manual service desk password process must be done in an IT solution. As a consequence of this, then the service desk doesn’t need to have privileged rights to reset passwords directly in Active Directory, hereby significantly reducing the risk for fraud committed by individual service desk employees!

Go to CONTACT to get your own copy of the IDC Technology Spotlight. See the IDC blog on password security and GDPR


How passwords are broken

Password issues

Password guessing

The strategy to avoid passwords being guessed or shoulder watched is to make passwords reasonably complicated, avoid patterns in passwords and avoid password copy of past passwords.

To handle the situation where a password has been guessed then frequent forced changes to passwords end the misuse from intruders.

Password risks

Other persons involved in password issuance process and password reset

When a 2nd person from the service desk is involved in password issuance, this means risks for misuse. If the service desk person is corrupt or just ‘a good friend’ to the intruder, then it might be possible to shortcut the password security process. Even the mitigation of interim passwords doesn’t prevent an intruder and service desk employee to circumvent the password protection. One mitigation process might be a very strict reporting on password resets. A simpler mitigation will be self-service, where the user is the only one touching his password.

See more at “Password risks and mitigation”

The IDC recommendation and best practices for password compliance are:

  • Implement a password self-service solution with high adoption
  • Remove the privileged password to AD for the service desk analysts
  • Make a 2-person process when users call in to service desk. Combine this with IT system with user reenrolment to self-service, so the privileged users don’t see the user’s new password.



”We strive continuously to improve our service. It is important to us to deliver modern and simple solutions helping customers to a more efficient operation. The cooperation with FastPass is yet another step in this direction”.

Mads Jacobsen
 Associate vice president

... seen an 80% reduction in assisted password resets. We’re very satisfied with the product. It has significantly freed us up from frustrating and unrewarding password resets

Oliver Holmes

Deputy Director, Technology and Operations

... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service



FastPass handled 2,531 password calls, or more than 80% of the total password calls from all the users.

Per Kristensen

Project manager


...we have met our Customers’ Service and Cost Improvement challenges by reducing our call abandon rates by over 55% and our average wait times by over 60%, despite our overall budget being reduced.

Pete Townley

Lead Service Delivery


… about 90% use FastPass to reset their passwords. So we’ve seen a substantial reduction in calls to the help desk.

Winston Hughed

Vice President IT


We are very pleased with the product.  Fast pass has simplified password management and eliminated many password related calls


Chuck Mick

ERP Manager

Nyrstar has chosen FastPass to automate and improve the processes related to users’ forgotten passwords. This has improved user satisfaction and reduced the workload in the IT HelpDesk.

The number of forgotten passwords per involved user per year has dropped from 1,6 to 0,3. This is an improvement of 83%!

Hans Lauwers



... The numbers have grown to the point that it would be impossible to operate in today’s busy environment without a password management service

Haydn Tarr

IT Technical Lead & Coordinator


Our employees use it to synchronize their Windows password with their IBM i password when they need to be changed every 90 days due to compliance. We find this is a quiet, behind-the-scenes way for our employees to change and remember their passwords.”

Larry Marxen

Director of Information Systems


North America T: + 818 697 2308

Europe T: + 45 4810 0410


FastPassCorp A/S,  USA

FastPassCorp A/S, Gladsaxevej 376,; 2860, Søborg, Gladsaxe, Denmark

© FastPassCorp A/S. All Rights Reserved.

Logo of fastpasscorp, the self-service password management provider