If your organization has a help
desk or other staff that handles password resets, be aware that password reset
tickets are a hacker opportunity. If an employee, supplier or customer forgets
their password, that account becomes vulnerable. If you don't follow best
practices for password management and ultimately identity and access
management, help desk processes can create more vulnerabilities. Therefore, do
not open the door to hackers. Make sure the help desk service and its password reset
process are safe.
Start From A Phone Or Password Reset Ticket
First, make sure your help desk
is safe. Help desks are often the target of attacks. So make sure your own safe
house is in place. That is, secure machines, security training, and
NIST-compliant processes.
Then if the user calls or emails
them and they forget their password, start by verifying the user. That is, make
sure that the user is the owner of the account. Also, make sure that hackers
cannot easily penetrate the verification process. That is, don't use common
security questions. Traditional questions like the mother's maiden name, the
user's high school, or the employee's hire date are information that
cybercriminals can easily find online.
Ideally, use multi-factor
authentication (MFA) to validate the user. MFAs that require a card key or MFAs
that require users to reply to emails or text messages (the device in question)
are recommended for efficient identity and access management. If that is not
possible, hackers ask a series of questions based on personal information that
is not easily found.
Temporary Help Desk Password
Some help desk support services respond to
password reset requests by entering a temporary password. This is not a
recommended approach as it opens up an intrusion opportunity because at least
two people know the password and need to give you a temporary password.
If you need to use this approach, follow these guidelines:
- Always use a unique password for each user. Don't use the same temporary password for everyone. An error can open multiple accounts.
- Please use a long password. 16 characters or more is ideal.
- Generate a random password. It must consist of random letters, not words. And there is nothing predictable like HiredateName.
- Use a combination of uppercase, lowercase, numbers, and special characters. Avoid obvious and common substitutions like zero on letter 0 and all three on letter E.
- If you submit a temporary password, you need a way to verify that the password has been changed from the temporary password you provided. Password requirements also require that new passwords created by users be secure.
Password Reset Email
Even if you reply to the request
via email, you still need a verification process to make sure the reset request
is not from a hacker. For security reasons, we will send you an email
individually or notify you that a password reset request has been made and / or
that your password has been reset. It also helps prevent the attack, including
how to contact the help desk if you haven't requested a restart.
Do not send a new or temporary
password in the reply email. Do not email the account owner's username. By
doing so, hackers have an opportunity to intercept the email and retrieve half
of the credential pairs. Ideally, it would send a password reset link so that
the temporary password is no longer needed and the user can reset their own
password. When you do:
- Make sure your email doesn't look like phishing emails. The spelling must be correct and the email must be in a professional format.
- Set an expiration date on the reset link to make it a one-time link. This closes another potential door for cybercriminals.
- Be sure to include a description of how to contact support if the user needs further help or did not request a restart.
Regarding the reboot link itself,
be careful that the redirect page or the thank you page that follows the reboot
does not provide information about you or the type of account you have. For
example, do not redirect to an administrator login or wallet account login. In
that case, potential hackers will receive information about their privileges
and ownership.
Finally, we will use restart as
an opportunity to educate our employees and customers. The more employees
understand and work to improve safety, the more secure they will be. It's hard
to remember, but make sure you know why a strong password is important and what
could be at risk if your account is compromised.
A Better Way
If you still do a manual password
reset, you will find it an expensive process. Today, there are many tools that
make it easy to reset your password. The best one completely removes IT /
Helpdesk from the password reset process by allowing users to perform automatic
password reset. Automatic password reset tools still require multi-factor
authentication and enforce strong password requirements, but eliminate
irritating user delays and many of the vulnerabilities inherent in manual
processes.
No comments:
Post a Comment