Best Practices For Password Resets

If your organization has a helpdesk or other staff handle password resets, remember that password reset tickets are an opportunity for hackers. When an employee, vendor, or customer forgets a password, their account is vulnerable. Your helpdesk processes can create more vulnerability if you aren’t following password management, and ultimately, identity and access management, best practices. So, don’t open the door to hackers. Make sure your helpdesk and its password reset processes are secure.

First, make sure your helpdesk is secure. Helpdesks are often a target of attack. So be sure you have your own security house in order. That means secure machines, security training, and NIST-compliant processes.

Then, when users call or email to say they’ve forgotten their password, start with user verification. I.e., verify that the user is the owner of the account. And make sure your verification process is hard for hackers to infiltrate. That means don’t use common security questions. Traditional questions like mother’s maiden name, the user’s high school, or the employee’s hire date—that’s information that can easily be discovered online by cyber criminals.

Ideally, use multi-factor authentication (MFA) to verify users. MFA that requires a card key or that requires the user to respond to an email or text, i.e. device in hand, is preferred for efficient identity and access management. If that’s not possible, ask a series of questions that rely on personal information that’s not easy for a hacker to find.

Some helpdesks respond to password reset requests by providing a temporary password. This isn’t the preferred approach because it means at least two people know the password and it requires conveying a temporary password, which opens an opportunity for infiltration.

If you must use this approach, follow these guidelines:

• Always use a unique password for each user. Don’t use the same temporary password for everyone—which would mean that a single mistake opens the door to multiple accounts.
• Use long passwords, ideally sixteen characters or more.
• Randomly generate the passwords. They should consist of random characters, not words. And nothing predictable like HiredateName.
• Use a mix of uppercase, lowercase, numbers, and special characters. Avoid obvious and common substitutions like zero for the letter 0 or three for the letter E.

If you do send a temporary password, you need a way to verify that the user changed his or her password from the temporary one that you provided. And your password requirements should ensure that whatever new password the user comes up with is also a strong one.

If you respond to requests with an email, you still need a verification process to ensure that the reset request isn’t coming from a hacker. To be safe, make sure that you separately email or otherwise notify the user that there was a password reset request and/or that the password was reset. And include a way for the person to contact your helpdesk if he or she didn’t request that reset, so you can thwart any attack.

In your response email, never send the new or temporary password. Don’t even send the account holder’s username in the email. Doing so provides an opportunity for hackers to intercept the email and gain half of the credential pair. Ideally, you will send a password reset link so that no temporary password is necessary and the user can reset his or her own password. When you do:

• Make sure your email doesn’t look like a phishing email. The spelling should be correct and the email professionally formatted.
• Set an expiration on the reset link and make it a one-time use link. That closes another potential door to cyber criminals.
• Make sure you include instructions for how to contact support if the user needs more help or didn’t request the reset.

For the reset link itself, be careful that the redirect or thank you page you go to after the reset doesn’t give away information about the user or the types of accounts that the user has. For example, don’t redirect to an administrator login or to a portfolio account login, revealing information to potential hackers about the person’s privileges or what they own.

Lastly, use the reset as an opportunity to educate employees and customers. The more employees understand and work to increase security, the safer you are. Make sure they know why strong passwords, though harder to remember, are important and what might be at risk if their account is breached.

If you’re still doing password resets manually, you know it’s an expensive process. Today, there are many tools that make password resets easier. The best ones remove IT/helpdesk from the password reset process entirely, by enabling users to do automatic password resets. Automatic password reset tools can still require multi-factor authentication and can enforce strong password requirements, but they eliminate the delays that frustrate users and many of the vulnerabilities inherent in a manual process.