Ideas for secure password changes?

B

bobstone

Limp Gawd
Joined
Aug 3, 2005
Messages
361
Hello

I work at a IT company and I have been tasked with creating a policy for how we do password changes for clients.

We have clients in all fields at different companies and we need to establish a secure way for our helpdesk to verify the person before we perform a password reset.

The company wants this to be human controlled and does not plan on spending any money for a password reset program or an authentication system.

My thought was to leave it up to the clients, for example have 2-3 people designated at the clients office who are the only people we will accept password reset requests from, they would be the point of contact to us and would forward requests.

My other thought is that when some calls us we would request a co workers/supervisors email address ( and confirm that address in our system) then send the reset password to them.

What do you all think, and or anyone got some good suggestions for me?

Thanks.
 
Last edited:
do you have any federal policies to abide by?
giving a password to a supervisor is, technically, against HIPAA regulations. Anybody not the user having the user's password is a no no.

Use something like a security password the users provide, last 4 of SSN, or something similar.
 
i've been thinking a bit about this for where i work too, because it seems like our turnover is so high that we're processing password resets for people we don't know...

i also don't want to give supervisors anyone's password..

i was thinking about also keeping a db of last 4 ssn

along the same lines, i was thinking of maybe having a secure code that the supervisor could provide to the user before we would reset a password

but i hadn't really thought how that would work either... the generation/verification....
 
Well, my problem is that they are going to want a way to do this that involves the least amount of change on our part. and the least amount of change for the customer.

The security password seems like a good idea, by that do you mean like a code the helpdesk would ask the client for before they change the password?

For HIPAA that is some interesting info, can you show me a link to the standard that states that? I will need it to pass on some info to our higher ups since we may be supporting HIPAA in the future.
 
For example, on the HIPAA issue, would changing the password and giving it only to the user, but having the "change password on next logon" option checked be acceptable? Or to be HIPAA compliant would we need to have a password reset program so no tech (even temporarily) knows the password?
 
bobstone said:
Well, my problem is that they are going to want a way to do this that involves the least amount of change on our part. and the least amount of change for the customer.

The security password seems like a good idea, by that do you mean like a code the helpdesk would ask the client for before they change the password?

For HIPAA that is some interesting info, can you show me a link to the standard that states that? I will need it to pass on some info to our higher ups since we may be supporting HIPAA in the future.
Click to expand...

yes, so you have a code that's generated somehow, maybe hashed against the supervisor's login and the current time or something

then when someone calls to get their password reset, they have to get this code from their supervisor that changes twice a day or something... you can verify then this code was generated for that supervisor at that time, so the supervisor verifies the identity

just an idea... i'll have to think about that some more...
 
Thanks goodcooper, that sounds like a workable idea. My only concern is that some of our users are a bit computer illiterate, and a program even if only a button may be to complicated for them. I was hoping to come up with a plan that only involves people and not software (that being mostly a expectation of management not wanting to have to push that out to everyone).
 
oh, i would just put it on an authenticated website or something, like a company intranet

but i can see how if you didn't have one of those, it would be tough
 
Anybody not the user having the user's password is a no no.
Click to expand...

This!

One of the suggestions here - change to a temporary password and have the user set one for himself on the first login.
Not even your IT staff should know your password. At my company the only 'politically correct' way of a tech (me) to enter a user's account (sometimes I have to, other times the boss demands it) I do it from administrator level.
I usually leave a note by the computer stating the time and reason for this, and my number. They call in, I come over, VNC into the server, open up their account and let them enter the new password themselves. I stand at a slight distance so as to not see the keyboard.
After that I close the VNC session, logout from the administrator account and let the user carry on with his stuff.
I don't want to know anyone's password because when they lose sensitive data they'll point at me and say "he knew my password, must have been him!".
Do you have your clients'/users' phone numbers? If not, make a list of either their e-mails or phones.
Be sure that they state in writing (and sign) "I declare this phone/mail as my own and authorize company XXX to use those means of communication for password resetting purposes".
So when they call, just text them a random password to their assigned e-mail or phone whilst checking 'user must change pass at logon'.
 
We've had sites that required this type of security when a PW change request came in. We had the users cell phone/home phones registered in our ticketing system. When they would call, we would hang up and call them back only on the approved number. If they didn't have the phone or the number changed they had to contact their supervisor who then verified who the users was and that they were requesting a password change. We also emailed a DL whenever a change was made so they had records of every request.
 
You must log in or register to reply here.
Back
Top