Password fields layered on top of each other

Frustrating for users and administrators, password management can be a challenge to manage in any organization. A lost or stolen password can be the crack in your organization’s foundation, allowing an attacker to slip through.

Conventional password recommendations held that regular changes and long, complex passwords would keep attackers at bay. Many guidelines have been published, but in recent years the conventional wisdom has changed.

One such guideline, originally published in 2017 but updated in 2020, is the NIST Password Guideline Standards (NIST Special Publication 800-63 Revision 3). A significant change included the removal of the previous recommendation for regular password changes.

The good and bad of password resets

Despite NIST’s recommendations not to rotate a user’s passwords regularly, that doesn’t mean there’s still no good reason to use password resets. Below are some pros and cons of when password resets make sense and when they can fail.


The inconvenients

Regular password resets mean that a stolen password is good for a limited time.

A user is more likely to use a typical password pattern leading to insecure passwords.

When a breached password is found, forcing a password reset ensures that users do not continue to use insecure passwords.

An organization can prevent future resets by checking for breached passwords during a password change.

Lost devices should require a password change to ensure a cached password is not used.

Multi-factor verification makes a lost device more of a nuisance than a security issue, especially with encrypted devices.

With all of these potential scenarios, how do planned or unplanned password resets cause real economic and productivity damage?

Many users dread a password reset. There is always a cost, whether it is due to a procedure or a problem. Imagine the scenario where a user is about to start their working day but needs to change their password due to company policy. This is not uncommon, as many users wait until the last minute for a password change, resulting in locked out accounts and longer than expected password reset tickets.

In studies, the Gartner Group found that between 20% and 50% of all help desk calls were for password resets. Additionally, each password reset can typically take between 2 and 30 minutes for a fix. The time and money savings a help desk could realize from fewer password resets means increased focus on the most complex issues.

Increased system interconnectivity often compounds these time commitments. For an authentication system like Active Directory, a password reset would mean that the user account password change must be replicated to all connected domain controllers (DCs).

With more teleworkers, this can mean that domain controllers are geographically dispersed, resulting in longer replication times. Adding additional subsystems into the mix, some even with manual sync, can make the problem even worse!

Any user facing the prospect of 30 minutes or more time to resolve a password reset will do whatever they can to avoid this. How can users avoid password reset issues? Instead of choosing a strong password, they can opt for an easy-to-remember password, such as a repeating pattern. Or, they may write down the password, often leaving it in an insecure place.

Resetting password puts productivity to the test

What happens when a user misses the window to reset their password or forgets the last password due to the number of recent changes? Not only does the user have to contact the already overloaded helpdesk, but they are stuck waiting for a resolution rather than work in the meantime.

Also, when a user is locked out, resetting the password takes priority over other vital tasks since that user can no longer work. The priority of any organization would be to restore that individual’s productivity. Thus, a password reset necessarily diverts the attention of a help desk.

As in recent years and studies have shown, the shift to more remote work is not diminishing. 58% of Americans said they have the option of working from home at least one day a week. A potential benefit is more flexible working hours.

Flexible working hours have many benefits for both employees and employers, but it also means that when a password reset is required, it can be done outside of support hours. Without assistance, the employee is stuck overnight, which can lead to even more lost productivity.

How Password Resets Hurt Profitability

Additionally, passwords can be a costly burden for organizations of all sizes. Forrester Research reports that the average help desk workforce the cost of a single password reset is around $70. This does not take into account a user’s lost productivity compounded by the many password resets performed in a given year.

According to a Report sponsored by Yubico the average user spends 10.9 hours per year resetting passwords, resulting in an average lost productivity of $5.2 million per year for an organization of 15,000 users (based on a average of $32 per hour). The Yubico report focused on the end user, but that’s not just where the time investment lies.

For computer support services, a Onelogin study found that more than 37% of companies spent more than 6 hours per week resetting passwords. It’s time for a help desk employee to be able to focus on other more critical tasks, or even lead to an organization needing fewer help desk employees overall!

Self-service password resets save the day

With all of these challenges, what can an organization do to reduce the impact of password resets? One step would be to implement the latest NIST guidelines and eliminate regular password resets. But, a user will inevitably forget a password, or an unrelated breach can also lead to a compromise.

The best way for an organization to save time, money and productivity is to give users a self-service password reset solution. uReset Specifications offers a variety of features to allow users to reset their passwords without the need for a time-consuming and potentially costly IT help desk call.

  • Update cached credentials of remote users to ensure business continuity
  • Accessible from any web browser, Windows login screen or uReset mobile app
  • Verify identities with a choice of over 15 identity providers
  • Options for applying user registration and auto-registration

Password resets, while necessary in some cases, are highly capable of self-service with less impact on an organization’s help desk and bottom line. Fortunately, you can test Specops uReset in your Active Directory to discover a secure self-service password reset solution.

Sponsored and written by Specops software


Source link