Best practices for password resets

How the Help Desk can improve security during password resets

Help desk password reset best practices

If your organization has a help desk or other staff handle password resets, remember that password reset tickets are an opportunity for hackers. When an employee, vendor, or customer forgets a password, their account is vulnerable. Your help desk processes can create more vulnerability if you aren’t following password management best practices. So, don’t open the door to hackers. Make sure your help desk and its password reset processes are secure.

Start with the password reset call or ticket

First, make sure your help desk is secure. Help desks are often a target of attack. So be sure you have your own security house in order. That means secure machines, security training, and NIST-compliant processes.

Then, when users call or email to say they’ve forgotten their password, start with user verification. I.e., verify that the user is the owner of the account. And make sure your verification process is hard for hackers to infiltrate. That means don’t use common security questions. Traditional questions like mother’s maiden name, the user’s high school, or the employee’s hire date—that’s information that can easily be discovered online by cyber criminals.

Ideally, use multi-factor authentication (MFA) to verify users. MFA that requires a card key or that requires the user to respond to an email or text, i.e. device in hand, is preferred. If that’s not possible, ask a series of questions that rely on personal information that’s not easy for a hacker to find.

Temporary passwords

Some help desks respond to password reset requests by providing a temporary password. This isn’t the preferred approach because it means at least two people know the password and it requires conveying a temporary password, which opens an opportunity for infiltration.

If you must use this approach, follow these guidelines:

  • Always use a unique password for each user. Don’t use the same temporary password for everyone—which would mean that a single mistake opens the door to multiple accounts.
  • Use long passwords, ideally sixteen characters or more.
  • Randomly generate the passwords. They should consist of random characters, not words. And nothing predictable like HiredateName.
  • Use a mix of uppercase, lowercase, numbers, and special characters. Avoid obvious and common substitutions like zero for the letter 0 or three for the letter E.

If you do send a temporary password, you need a way to verify that the user changed his or her password from the temporary one that you provided. And your password requirements should ensure that whatever new password the user comes up with is also a strong one.

Password reset emails

If you respond to requests with an email, you still need a verification process to ensure that the reset request isn’t coming from a hacker. To be safe, make sure that you separately email or otherwise notify the user that there was a password reset request and/or that the password was reset. And include a way for the person to contact your help desk if he or she didn’t request that reset, so you can thwart any attack.

In your response email, never send the new or temporary password. Don’t even send the account holder’s username in the email. Doing so provides an opportunity for hackers to intercept the email and gain half of the credential pair. Ideally, you will send a password reset link so that no temporary password is necessary and the user can reset his or her own password. When you do:

  • Make sure your email doesn’t look like a phishing email. The spelling should be correct and the email professionally formatted.
  • Set an expiration on the reset link and make it a one-time use link. That closes another potential door to cyber criminals.
  • Make sure you include instructions for how to contact support if the user needs more help or didn’t request the reset.

For the reset link itself, be careful that the redirect or thank you page you go to after the reset doesn’t give away information about the user or the types of accounts that the user has. For example, don’t redirect to an administrator login or to a portfolio account login, revealing information to potential hackers about the person’s privileges or what they own.

Lastly, use the reset as an opportunity to educate employees and customers. The more employees understand and work to increase security, the safer you are. Make sure they know why strong passwords, though harder to remember, are important and what might be at risk if their account is breached.

A better way

If you’re still doing password resets manually, you know it’s an expensive process. Today, there are many tools that make password resets easier. The best ones remove IT/help desk from the password reset process entirely, by enabling users to do automatic password resets. Automatic password reset tools can still require multi-factor authentication and can enforce strong password requirements, but they eliminate the delays that frustrate users and many of the vulnerabilities inherent in a manual process.

Thanks for signing up.

We’ve sent a verification email to

To complete your trial sign up, please check your email and follow instructions to verify. You may need to check your spam. You will be prompted to set up a password and log in. Please note that your user name is your email address.

Get Started in 3 Easy Steps:

Try OneLogin Free for 30 days

All fields are required

  • This field is required.
  • Please enter your first name
  • Please enter your last name
  • Please enter your job title
  • Please enter your phone number
  • Note: Please enter a work email address only as we DO NOT accept web-mail addresses (gmail, yahoo, hotmail, etc.)

    Is that a correct business email address?
  • Please enter company name
    Please choose another subdomain
  • Please enter number of employees
  • Please enter country
  • Please enter state
  • By completing and submitting this form, I agree to the storing and processing of my personal data by OneLogin as described in our Terms of Service and Privacy Policy.

  • By creating your account, you agree to the Terms of Service and Privacy Policy.

Related Resources:

5 reasons relying on passwords is a recipe for disaster

Passwords alone are not enough to protect your corporate data. Here are five reasons why.

Read More

Together, SSO and MFA secure access and address the technology industry’s password problem

Find out how SSO and MFA together are key to protecting your tech company’s corporate data and intellectual property.

Download the Paper

3 lessons Game of Thrones can teach us about cybersecurity

Are there similarities between the defenses of the Night’s Watch and those of cybersecurity teams in the real world? You be the judge.

Read the Blog

How to Be a True Password Champion

See why applying password best practices to access management is more holistic than using a password management tool or a password education campaign.

Read the Blog

How Awana Leveraged OneLogin to Reduce Help Desk Calls by 80%

See how this non-profit saved their two-person IT department time and improved processes.

Read the Customer Story