Password Reset Best Practices
Resetting passwords happens in great scale daily without anyone taking great notice of it. It is just a task that needs to be done as quickly as possible letting everyone do their tasks without losing precious time. The fact that the password is a major key to the company's infrastructure seems nearly forgotten.
The password is still a key component of security: Password Obituary: But is the Humble Password Really Dead?
As password reset and password change are two hugely different operations, we will just establish the differences:
- The Password Change operation is done only by the user, as this is an operation based on the user's current password. The password policy behind a password change operation takes password history into account.
- The Password Reset is only needed when the user has forgotten the current password. The traditional method is a call to the help desk, where a supporter with access privileges can reset it. The more modern method is a Self-Service Password Reset (SSPR) solution (the 10 best is covered here: The 10 best enterprise SSPR solutions
The Password Change process is quite straightforward, as it is done by the user, using the current password, hence there is no need to further verify the identity of the user, as the user's current password is sufficient. In this process of making the new password the Password Policy is of the greatest importance. Please read here about the best practises around complexity, length, change frequency and history: Guide to best password policy
When addressing the Password Reset process, there are more variables at play. Basically, the process is in these steps:
- The users reach out to either the SSPR system or to the Help Desk.
- The user identity is verified. An audit trail must be present about the process to enable back tracing if necessary.
- A Password Reset is done.
- A Password Change is done.
These steps are fundamental. Step 4 must never be left out ensuring that the password is not known by anyone else, and that the password applies to the password policy.
Some question if it is still necessary to protect passwords if 2FA is implemented. The idea of 2FA/MFA is that we have multiple SECURE authentications, so passwords can’t be neglected. Furthermore, the hackers have found ways to breach even secure authentication apps: MFA Fatigue: Passwords are still important
Password reset best practices must be viewed as a component of a total Password Protection Plan.
One of the main questions is who is responsible for the protection of passwords. Is it the CISO or is the help desk manager responsible for the password security at the help desk?
An important element of password reset is the user making a new password. We want the password to be hard to crack for any hacker, which means a strong password policy is required – even the standard strong password policy for Windows might not be enough.
Use an SSPR system
Help Desk Business Case for SSPR
Depending on the situation the user is in, and the IT landscape the user will either use their Self Service Password Reset (SSPR) system or call the Service Desk. Allowing the users to make use of an SSPR system is best practise, and makes perfect sense in terms of ROI: The Best Help desk business case for SSPR
The 10 Best SSPR Solutions
To choose a good SSPR system take a look at this article explaining the key features around SSPR: The Top Criteria for Self-Service Password Reset (SSPR) Solutions
Or look here to see the top 10 SSPR systems and their features compared. 10 Best Self-Service Password Reset (SSPR) Products / Software
Why SSPR Fails and What To Do ABout It
Even having a good feature rich SSPR system, may not be enough, processes people etc. must be taken into consideration – here is an article about how to get in running handling nearly all the calls: Why SSPR fails and what to do about it, please also visit the Best Practise guide around SSPR.
Self-Service Password Reset (SSPR) Solution
Even if you have a good Self-Service Password Reset System in place, this will never handle 100% of the users' needs for resetting a password. The last 6-10% will still call the Help Desk agent to get their case handled., but 90% uptake is possible: Self-Service Password Reset (SSPR) solution.
Work-from-home Challenges for IT Help Desk
The last users not able to use the system can be, users not able to self-service as they have lost their phone or users not able to access the solution – also users working from home. This problem is handled specifically here: Work from home Challenges for IT Help Desk
Users calling the Service Desk
When a user calls the Service Desk to reset the password, there are a couple of steps to cover by the agent. Let us look at them in detail:
- Verifying the caller's identity by using one or more user proofing methods. (This might not be possible for the agent; hence an escalation process needs to be in place)
- Making an audit of the process of the proofing(s), who, when, where using what types of proofing
- Issuing a new, temporary password for the user
Best practices cover the process of verifying the identity of the user in question, making an audit trial, and issuing a password to the user. The process of verifying the user's identity, can differ from user to user, not only based on the risk associated with the user, but also nationality and what proofing factors the user is question can handle at the given time. The steps are:
- Establish the status of the claimed userid (is the account still to be active, are there any orange or red flags – e.g., the user is at a strange location, working on an unusual time, etc.?)
- Proof the user. As the user for e.g., a token sent over email and/or mobile. Using TOTP codes, Questions, employee ID, etc.
- Evaluate 1 and 2 to establish if the user has passed the assessment or an escalation is needed
The audit should hold the following information: Time and date, Agent name and userid, the claimed end-user identity, the different proofings and their result, finally whether it succeeded, was escalated, or abandoned. The Audit entries needs to be checked every now and then to ensure that the identity verification process is being carried out as expected. Taking 1% out for review every week or two is best practise, it can be a daunting process to test the proofing parts if no central system is present.
More details about building this process please look at this article: Secure Identity Verification of End-Users
The final bit is the password. The issued password must be a one-time password. If the reset is done in Active Directory or Azure AD, the “User Must Change” flag must be set. The password issued in the reset, must be random. We advise to use a simple random generator.
There are a few products containing the ability to handle the caller proofing verification like Identity Verification Manager.
When tools like this is integrated to ITSM tools, the process can become a clean workflow from request to the end. An even cleaner solution is when SSPR and Identity Verification in the Service Desk comes together. This can be seen here in a more general approach: FastPass Identity Verification ITSM Integration Demo
A supplementary process often forgotten is the delivery of the first password to a new employee. The new password might be in multiple persons’ hands before delivered to the new employee. This process should be protected too: Ways to protect the password before the user receives their first password
Contact us to discuss how you can protect your users against identity theft with secure identity verification: