Via BleepingComputer
Frustrating for both users and administrators, password management can be a challenge to manage in any organization. One lost or stolen password may be the crack in your organization’s foundation, allowing an attacker to slip in.
Conventional password recommendations have held that regular changes and lengthy and complex passwords would keep attackers at bay. Many guidelines have been published, but in recent years, conventional wisdom has been changing.
One such guideline, initially published in 2017 but updated in 2020, is the NIST Password Guideline Standards (NIST Special Publication 800-63 Revision 3). A significant change included the removal of the prior recommendation for regular password changes.
The Good and Bad of Password Resets
Despite NIST recommendations to not regularly rotate a user’s passwords, this does not mean there are still no valid reasons to use password resets. Below are some pros and cons of when password resets make sense and where they may fall short.
Pros | Cons |
Regular password resets mean a stolen password is suitable for a limited time. | A user is more likely to use a typical password pattern leading to insecure passwords. |
When a breached password is found, forcing a password reset ensures users do not continue to use insecure passwords. | An organization can avoid future resets by checking for breached passwords on a password change. |
Lost devices should necessitate a password change to ensure that a cached password is not used. | Multi-factor verification makes a lost device more a nuisance than a security issue, especially with encrypted devices. |
With all of these potential scenarios, how do password resets schedule or unscheduled cause real economic and productivity damage?
The Ever-Increasing Overhead of Password Resets
Many users dread a password reset. There is always a cost, whether it is due to a procedure or a problem. Imagine the scenario where a user is about to start the workday but needs to rotate their password due to company policy. This is not uncommon, as many users wait until the last minute for a password change, leading to locked-out accounts and longer-than-expected password resets tickets.
In studies, the Gartner Group found that between 20% and 50% of all help desk calls are for password resets. Not only that, each password reset can typically take between 2-30 minutes for a fix. The time and cost savings that a helpdesk could realize with a decrease in password resets means an increased focus on the more complex problems.
The increased interconnectivity of systems often compounds these time commitments. For an authentication system like Active Directory, a password reset would mean that the user account password change must be replicated to all connected Domain Controllers (DC).
With more remote workers, this may mean that the DCs are geographically spread out, leading to longer replication times. Adding additional subsystems in the mix, some even with manual synchronization, can compound the problem even more!
Any user facing the prospect of 30 minutes or longer time to resolution for a password reset will do whatever they can to avoid that. How might users avoid password reset issues? Instead of choosing a strong password, they may opt for one easily remembered, such as a repeating pattern. Or, they may write down the password, often leaving it in an insecure location.
Reset Password Sends Productivity Down the Drain
What happens when a user misses the window to reset their password or forgets the latest password because of how many recent changes there have been? Not only does the user need to reach out to the already overworked helpdesk, but they are stuck waiting for a resolution rather than working in the meantime.
Plus, when a user is locked out, the password reset takes priority over other vital tasks since that user can no longer work. Any organization’s priority would be to get that individual productive once again. Thus, a password reset necessarily diverts a helpdesk’s attention.
As recent years and studies have shown, the move to more remote work is not lessening. 58% of Americans reported having the opportunity to work from home at least one day a week. A potential benefit is more flexible work hours.
There are many benefits to flexible working hours, both for employees and employers, but this also means that when a password reset is required, it may be outside helpdesk hours. Without assistance, the employee is stuck until the next day, potentially leading to even more productivity loss.
How Password Resets Hurt the Bottom Line
Moreover, passwords can be an expensive burden for organizations of all sizes. Forrester Research states that the average help desk labor cost for a single password reset is about $70. This does not consider the lost productivity for a user, compounded by the many password resets done in a given year.
According to a Yubico-sponsored report the average user spent 10.9 hours a year on password resets, leading to an average loss of $5.2 million a year in productivity for a 15,000-user organization (based on a $32-an-hour average). The Yubico report focused on the end-user, but that’s not only where the time investment lay.
For IT helpdesks, a Onelogin study found that over 37% of companies spent more than 6 hours a week on password resets. That is time a helpdesk employee could be focused on other more critical tasks, or even lead to an organization needing fewer helpdesk employees overall!