Thread: Password Reset Process

I am currently investigating how we can improve our password reset process. At this point in time the process is sadly lacking in terms of validation of the person making the request for the password reset. I would like your opinions on a process that works for your business. Some ideas I am exploring right now include:

Call Back.
When a user calls the support center for a password reset, it is not done while the user is waiting on the phone. The support center takes the information, fills out a ticket, resets the password and phones the user back at the users phone local.

Voice Mail.
When a user calls the support center for a password reset, it is not done while the user is waiting on the phone. The support center takes the information, fills out a ticket, resets the password and leaves a message in the users voicemail box (which is also password protected).

Secret Word/phase.
Design/buy a system which all users would enter a secret word or phrase. When a user call the support center for a password reset, the support center enters this system, looks up the user, asks them what their secret word / phrase is. If correct, the password is reset and given to the user.

Password Management System.
Purchase of a full password management system such as P-Sync or BMC Software's Control-SA/PassPort.

The major problem I have to deal with is cost, therefore the Password Management System is likely not an option.

I'd be interested to hear what system(s) works for you.
Thanks for any help

Cheers:

I would think the phone might have problems too but though this is hypothetical(on my part) How about they submit a request to chang their password by email, YOU call their personal number, verify and implement change??


*/ i think you said something similiar above*/

Originally posted here by jxrry59
submit a request to chang their password by email

Most often, it's their e-mail password they have forgotten.

Thanks anyways.

Cheers:

I think the call back option would be the best. That is pretty close to what we do. The only thing I would add is that when we reset the users password it is a one time only password. In other words they are forced to change is the first time they use it.

we used a system called password courier which can be found at http://www.courion.com/products/pwc/index.asp?Node=PWC

They also have a calculator that will show you how much a help desk call costs versus using the program. it worked directly with windows 2k AD also

If your company can afford to implement the call back method by having someone available to answer phones then this method would be the fastest and most reasonably secure. You may also want to consider using something else to verify the individuals identity with the company and to make reference other than the call back number i.e. employee number, etc...

Note: If your company is large you may want to implement the voice mail method with the same specifications as above. Although this method will be slower than the above listed method because the user will not get the pw immediately. Although, it should still be satisfactory enough to get the job done.

-neta1o-

We use the, something you have and something you know approach.

Example:
===============
User forgets password.
User establishes an SSL (version 3) connection to the helpdesk server.
Helpdesk server asks end user for his badge ID # (something he/she has) and Social Security # (something he/she knows)
If all info matches, the password is reset to whatever the user sets it to and a log entry is made.
Logs are reviewed daily by the AD Admin who follows up via phone to ensure validity.

We also have a secret answer to a question the end user has supplied as a third method of validation.

Hope this helps out.