Security Annoyances: Password Resets

Resetting passwords for users who forget them is the bane of every administrator. A META Group survey indicates that this thankless task alone costs companies with 10,000 users well over half a million dollars a year ( identitymanagement/idmanage/p2pass.mspx). But there are ways to reduce or even eliminate this problem. My favorite solution is to rewire users keyboards and use electroshock therapy. A couple of jolts and your problem is solved!

However, you can train users to remember passwords with less violent behavior-modification methods. The most effective password-memorization technique I’ve found is creating passwords by using the first letter of each word of a sentence that the user can remember. You’ll need to use a sentence that has some proper nouns and numbers so that this technique produces a complex password with uppercase letters and nonletter characters. You can let users come up with their own sentences, but I’ve had better success assigning users passwords based on a sentence of my choosing. Of course, if you have one of those irksome corporate security policies that says you shouldn’t know everyone’s password (like you can’t just run a password cracker, right?), you might have to look at other alternatives.

Enter the automated password reset tool. Let’s think about it. Resetting a user’s password is a pretty mundane, clerical process: Authenticate the person requesting the password reset, find his or her account, and reset its password. Why not automate this task? A variety of self-service password reset solutions are already on the market to take this burden off your shoulders, and it’s not hard to justify the cost when you consider the savings in IT staff time. Solutions on the market provide various methods for letting users reset their own passwords, from Web-based applications to telephone-based systems. Some of the players include Avatier Password Station and M-Tech Information Technology’s P-Synch. Just do a Web search for “password reset self-service” and you’re on your way.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.