Password reset

How do you guys deal with password resets where you work?

Trying to think of a good way to ensure the user is who they say they are.

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,663 Admin
    Access to your network is granted by only knowing an account name and password? You need to throw one or two other authentication factors in there, such as hard and soft certificates. That way just knowing an account name and password won't grant illicit access to your network.
  • the_hutchthe_hutch Banned Posts: 827
    The best way is physical verfication. Force the user to come on-site to reset their password. If the users are too spread out for this to be convenient, you could have a single appointed agent in each organization/building/etc... to verify the identities of people needing password resets. That person could then send a digitally signed email (using SMIME technology) to the helpdesk to authorize the reset.
Sign In or Register to comment.