![]() Ideally, you will send a password reset link so that no temporary password is necessary and the user can reset his or her own password. Doing so provides an opportunity for hackers to intercept the email and gain half of the credential pair. Don’t even send the account holder’s username in the email. In your response email, never send the new or temporary password. ![]() And include a way for the person to contact your helpdesk if he or she didn’t request that reset, so you can thwart any attack. To be safe, make sure that you separately email or otherwise notify the user that there was a password reset request and/or that the password was reset. If you respond to requests with an email, you still need a verification process to ensure that the reset request isn’t coming from a hacker. And your password requirements should ensure that whatever new password the user comes up with is also a strong one. If you do send a temporary password, you need a way to verify that the user changed his or her password from the temporary one that you provided. Avoid obvious and common substitutions like zero for the letter 0 or three for the letter E. Use a mix of uppercase, lowercase, numbers, and special characters.And nothing predictable like HiredateName. They should consist of random characters, not words. Use long passwords, ideally sixteen characters or more.Don’t use the same temporary password for everyone-which would mean that a single mistake opens the door to multiple accounts. Always use a unique password for each user.If you must use this approach, follow these guidelines: This isn’t the preferred approach because it means at least two people know the password and it requires conveying a temporary password, which opens an opportunity for infiltration. Some helpdesks respond to password reset requests by providing a temporary password. If that’s not possible, ask a series of questions that rely on personal information that’s not easy for a hacker to find. device in hand, is preferred for efficient identity and access management. MFA that requires a card key or that requires the user to respond to an email or text, i.e. Ideally, use multi-factor authentication (MFA) to verify users. ![]() Traditional questions like mother’s maiden name, the user’s high school, or the employee’s hire date-that’s information that can easily be discovered online by cyber criminals. That means don’t use common security questions. And make sure your verification process is hard for hackers to infiltrate. I.e., verify that the user is the owner of the account. Then, when users call or email to say they’ve forgotten their password, start with user verification. That means secure machines, security training, and NIST-compliant processes. So be sure you have your own security house in order. First, make sure your helpdesk is secure. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2022
Categories |