Password Reset Process
Results 1 to 7 of 7

Thread: Password Reset Process

  1. #1
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Question Password Reset Process

    I am currently investigating how we can improve our password reset process. At this point in time the process is sadly lacking in terms of validation of the person making the request for the password reset. I would like your opinions on a process that works for your business. Some ideas I am exploring right now include:

    Call Back.
    When a user calls the support center for a password reset, it is not done while the user is waiting on the phone. The support center takes the information, fills out a ticket, resets the password and phones the user back at the users phone local.

    Voice Mail.
    When a user calls the support center for a password reset, it is not done while the user is waiting on the phone. The support center takes the information, fills out a ticket, resets the password and leaves a message in the users voicemail box (which is also password protected).

    Secret Word/phase.
    Design/buy a system which all users would enter a secret word or phrase. When a user call the support center for a password reset, the support center enters this system, looks up the user, asks them what their secret word / phrase is. If correct, the password is reset and given to the user.

    Password Management System.
    Purchase of a full password management system such as P-Sync or BMC Software's Control-SA/PassPort.

    The major problem I have to deal with is cost, therefore the Password Management System is likely not an option.

    I'd be interested to hear what system(s) works for you.
    Thanks for any help

    Cheers:
    DjM

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    242
    I would think the phone might have problems too but though this is hypothetical(on my part) How about they submit a request to chang their password by email, YOU call their personal number, verify and implement change??


    */ i think you said something similiar above*/
    the only way to fix it is to flush it all away-tool

  3. #3
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by jxrry59
    submit a request to chang their password by email
    Most often, it's their e-mail password they have forgotten.

    Thanks anyways.

    Cheers:
    DjM

  4. #4
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    I think the call back option would be the best. That is pretty close to what we do. The only thing I would add is that when we reset the users password it is a one time only password. In other words they are forced to change is the first time they use it.
    Work... Some days it's just not worth chewing through the restraints...

  5. #5
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    we used a system called password courier which can be found at http://www.courion.com/products/pwc/index.asp?Node=PWC

    They also have a calculator that will show you how much a help desk call costs versus using the program. it worked directly with windows 2k AD also
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  6. #6
    Member
    Join Date
    Feb 2003
    Posts
    96

    Re: Password Reset Process

    If your company can afford to implement the call back method by having someone available to answer phones then this method would be the fastest and most reasonably secure. You may also want to consider using something else to verify the individuals identity with the company and to make reference other than the call back number i.e. employee number, etc...

    Note: If your company is large you may want to implement the voice mail method with the same specifications as above. Although this method will be slower than the above listed method because the user will not get the pw immediately. Although, it should still be satisfactory enough to get the job done.

    -neta1o-
    ][ neta1o ][

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    We use the, something you have and something you know approach.

    Example:
    ===============
    User forgets password.
    User establishes an SSL (version 3) connection to the helpdesk server.
    Helpdesk server asks end user for his badge ID # (something he/she has) and Social Security # (something he/she knows)
    If all info matches, the password is reset to whatever the user sets it to and a log entry is made.
    Logs are reviewed daily by the AD Admin who follows up via phone to ensure validity.

    We also have a secret answer to a question the end user has supplied as a third method of validation.

    Hope this helps out.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •