Users and employees are human, it turns out — and forget or lose their passwords from time to time, making password resets an important part of any digital security system.
But rather than taking up a significant amount of Help Desk employee time and operating with the risk of inadvertently giving out a new password to a hacker, implementing an automated password reset system can solve both problems at once by improving data security and freeing up Help Desk time to deal with more important issues.
The way typical password reset alerts work is that a reset system or software sends out an automated email or SMS alert to the account owner when the password is reset. A typical message you may be used to seeing might read something like this:
We received a request to reset your System X password today at 12:30 PM from a computer at IP address 112.223.334. If you intended to make this change, please disregard this message. If you did not request a password reset, please email IT or call 123-456-7890.
For administrators, there are some password reset scenarios that should immediately send up red flags. For example, if a person logs in by entering their username and password five days in a row and then requests a password reset on the sixth day from another location, it could be a perfectly innocent happenstance — or something worse. The situation could be as simple as this: An employee had their password written on a sticky note by their primary computer (which is a very insecure place to keep a password) and didn’t have the information by their second computer. However, it could also be as bad as a hacker requesting a new password from another one of the user’s computers — perhaps one that has access to the user’s email address that could receive the reset alert email.
Fake password reset alerts can also be used to trick users into giving up their account credentials. A common phishing scheme involves spoofing these sorts of alert emails, tricking users into entering their old (and still valid) credentials. One of these phishing emails might read something like this:
We received a request to reset your password for your System X account. If you do not wish to change your password at this time, please click here. Or, click here to confirm the new password. Please respond within 48 hours or your account will be closed.
Upon clicking either link, the user would be taken to a page that looks very similar to the System X login page, with a request to enter their user name and password. This is where the hacker can then log in as the user and take control of their account–that is, unless the user’s account has multi-factor authentication enabled. This phishing scheme is also used with expiring password notifications — asking for a user to enter the old password before selecting a new one. Avoiding phishing attempts requires users to be well-educated about common internet scams and to be sure that they only enter their login credentials into the sites and services they intend to use (e.g. don’t enter your bank password anywhere but on your bank’s website).
These various alerts can help users know when to contact the data security team when they suspect their accounts have been compromised. However, password reset alerts should not just go to users. Security managers should also receive automated alerts for certain events such as multiple reset attempts or other behaviors that could suggest someone is trying to hack into an account by guessing a password or a brute force attack. Seeing reports and data on password resets within the system can help security teams spot suspicious behavior and prevent a data breach.
In short, security issues around password resets can be mitigated if end users are educated and Help Desk and security admins have appropriate security software and tools. If you’re an admin looking for software to improve the access controls on your system or to automate and improve the security of the password reset process, you should check out ReACT – a full-featured, self-service password reset application designed specifically for your organization. Curious? Sign up for a free trial of ReACT and see what security teams and system admins around the world already know about how to make the Help Desks more secure while at the same time more cost effective.