Password reset best practices

egrizzly

For the Information Security experts out there is it a security violation if helpdesk agents have knowledge of a temporary password during a password reset? I mean as long as the user changes it right it is not a security violation. My former co-worker says they are not allowed to even have knowledge of the temporary password during any password reset.

Are there any best practices that reference this? that having knowledge of the temporary password is a security violation. It sure has my attention piqued.

umarbhatti

Not a sec expert but work as a SD TL.
For us its not a security breach at all. If a staff member phones up and needs their password reset, the SD have to tell them over the phone until the staff member changes the password.
In some instances SD staff have to ask for staff members password, when configuring a new PC/Laptop or even a mobile device for staff.

jelevated

It doesn't have to be. In some cases it's the only solution. At the vey least audit if your SD is handing out passwords at really odd times, for really odd people/VIPS. Better if the user is required to update their password immediately after.

paul78

It would depend on a variety of circumstances. But generally, for me, this would be a finding is any risk assessment.

If the user account was privileged and has access to confidential information normally not available to a helpdesk agent, the risk is a higher. Personally, I would never want to see a process where the helpdesk agent has access to a password.

As far as other controls that would need to be in place:

1. The temp password should have an expiration.
2. There needs to be a technical control to enforce password change when the temp password is used.
3. The helpdesk agent must have a way to authenticate the user that requests the password.

More often - I see that #3 is inadequate. Ideally the password reset process is tied to the authentication process so as to reduce human-error or a sloppy helpdesk agent that forgets to authenticate a caller.

shimasensei

Interesting point. This is somewhat of a gray area in terms of enforcement and verification. Which is why user self-service account unlocks and password resets are a great first option (via verification questions, MFA codes, physical tokens, etc.). Calling helpdesk for a reset should be a last resort.

mbarrett

It just comes down to risk mitigation - in other words, security vs. convenience. If you make it too much of a pain in the ass for people to change their password, a lot of people won't bother - so then your level of risk actually goes up.
It's up to you whether you want to trust your help desk people to coordinate the password change.
It's a security violation only if you want it to be - is this normal behavior? Yes. Is it adding risk? Maybe, but in the bigger picture you have to keep the overall business running. If you keep everything locked down, very little gets done.

TechGromit

Password Policies.

1. Passwords must be a minimum of 20 characters, Must have Upper, lower, number and special characters, no repeating characters.
2. If a User makes a one mistake on there password, they must reboot there computer to try again, two failures account is locked out, 3, Instant termination.
3. Users are not allowed to write passwords down.
4. Passwords must be changed once a day, no duplicate passwords allowed, ever.
5. All passwords must not spell any words or phases, they must be completely random.
6. Every application must have a separate password, no sharing passwords between applications.
7. The use of password management programs, like Keepass is strictly prohibited, users must relay on memorizing daily passwords.

TechGuru80

For being a violation it depends on your organization's security policies. Ideally, you will have a portal that employees can reset their password and not need intervention from the help desk...however, help desk changing a password will be logged and the user should be forced to change their password on login.