March 17th, 2003, 06:03 PM
Password Reset Process
I am currently investigating how we can improve our password reset process. At this point in time the process is sadly lacking in terms of validation of the person making the request for the password reset. I would like your opinions on a process that works for your business. Some ideas I am exploring right now include:
When a user calls the support center for a password reset, it is not done while the user is waiting on the phone. The support center takes the information, fills out a ticket, resets the password and phones the user back at the users phone local.
When a user calls the support center for a password reset, it is not done while the user is waiting on the phone. The support center takes the information, fills out a ticket, resets the password and leaves a message in the users voicemail box (which is also password protected).
Design/buy a system which all users would enter a secret word or phrase. When a user call the support center for a password reset, the support center enters this system, looks up the user, asks them what their secret word / phrase is. If correct, the password is reset and given to the user.
Password Management System.
Purchase of a full password management system such as P-Sync or BMC Software's Control-SA/PassPort.
The major problem I have to deal with is cost, therefore the Password Management System is likely not an option.
I'd be interested to hear what system(s) works for you.
Thanks for any help
March 17th, 2003, 06:11 PM
I would think the phone might have problems too but though this is hypothetical(on my part) How about they submit a request to chang their password by email, YOU call their personal number, verify and implement change??
*/ i think you said something similiar above*/
the only way to fix it is to flush it all away-tool
March 17th, 2003, 06:15 PM
Most often, it's their e-mail password they have forgotten.
Originally posted here by jxrry59
submit a request to chang their password by email
March 17th, 2003, 06:24 PM
I think the call back option would be the best. That is pretty close to what we do. The only thing I would add is that when we reset the users password it is a one time only password. In other words they are forced to change is the first time they use it.
Work... Some days it's just not worth chewing through the restraints...
March 17th, 2003, 06:32 PM
we used a system called password courier which can be found at http://www.courion.com/products/pwc/index.asp?Node=PWC
They also have a calculator that will show you how much a help desk call costs versus using the program. it worked directly with windows 2k AD also
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click
March 17th, 2003, 06:43 PM
Re: Password Reset Process
If your company can afford to implement the call back method by having someone available to answer phones then this method would be the fastest and most reasonably secure. You may also want to consider using something else to verify the individuals identity with the company and to make reference other than the call back number i.e. employee number, etc...
Note: If your company is large you may want to implement the voice mail method with the same specifications as above. Although this method will be slower than the above listed method because the user will not get the pw immediately. Although, it should still be satisfactory enough to get the job done.
March 17th, 2003, 07:17 PM
We use the, something you have and something you know approach.
User forgets password.
User establishes an SSL (version 3) connection to the helpdesk server.
Helpdesk server asks end user for his badge ID # (something he/she has) and Social Security # (something he/she knows)
If all info matches, the password is reset to whatever the user sets it to and a log entry is made.
Logs are reviewed daily by the AD Admin who follows up via phone to ensure validity.
We also have a secret answer to a question the end user has supplied as a third method of validation.
Hope this helps out.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden