S 2.402 Resetting passwords

Initiation responsibility: Information Security Management, Head of IT

Implementation responsibility: Head of IT, Information Security Management

When users are required to authenticate themselves using passwords, then some users will eventually forget their password. On the one hand, users should be helped quickly in such a situation so that they can get back to work. On the other hand, however, unauthorised persons must be prevented from gaining access to IT systems due to inadequate authorisation checks (see T 5.42 Social Engineering). For this reason, every organisation must select suitable procedures for resetting passwords.

It is important when selecting a password reset procedure to specify flexible policies for resetting passwords. A rigidly defined policy is impractical in most cases in the mobile working world encountered today. On the one hand, the procedure should meet the protection requirement of the particular password, and on the other hand, the access requirements of the users must be taken into account.

The approach adequate for a given organisation depends on a number of factors, for example on the size of the organisation, the number of employees, the geographic distribution of the employees (are they always on site, are they often at customers, how can they be reached etc.), and naturally on the protection requirements of the information and business processes protected by the password (access only to a local IT system, to a LAN, to an internal network from outside, to an Internet mailbox etc.).

Note: The usual authentication procedure using a user name and password is generally suitable for normal protection requirements. Stronger authentication procedures should be used for higher protection requirements, for example in combination with a chip card, USB token, or one-time password procedure.

In the following, the advantages and disadvantages of several methods for resetting passwords are illustrated. A procedure can then be selected that is appropriate for the particular application.

In writing by mail or fax

In this case, a form on which the user must enter his name and sign is used to request a password reset. This form must then be sent by mail or fax to the Support department. This procedure is thorough, especially when the forms are archived. One disadvantage of this method, though, is that it may take some time (depending on the size of the organisation) until the form reaches Support department by (in-house) mail. To prevent unauthorised persons from simply resetting a password in the name of an authorised user when using this method, there should be signatures of the authorised users available for comparison. The person processing the form in the Support department must then compare the signature on the form to the stored signature.

The person handling the form in the Support department could then send a reply containing the new password by mail or fax.

When sending by fax, it is generally impossible to ensure that the user is the only person to have received the password. When sending by mail, a sealed envelope could be used. The disadvantage of sending by mail is (again) the longer delivery time.

By telephone without additional safeguards

The simplest method is to inform the users that they have to reset their password by calling them on the telephone. However, secure verification of the identity of the user is more complicated in this case. The Support department must be able to identify a user based on his/her voice. This solution can be used in organisations that are small enough so that it is possible for the employees to identify each other by voice on the telephone.

It is not enough just to check the telephone number. The number displayed may have been forged, for example. An attacker could also exploit the absence of an employee to call the Support department from this employee's office. Precisely this scenario is the primary method used in social engineering attacks, which means that passwords must not be reset based on a simple call alone. Therefore, this method should not be used, if possible.

By telephone plus a password reset challenge question

To make changing a password by telephone easier, the Support department can also ask for additional knowledge or information that was stored in advance. Examples include, for example, the birth date or personnel number of the employee (this information is easy to obtain, though). Another example is a keyword that the user can easily remember but is hard to guess. It is recommended in this case not only to store one keyword, but several keywords, and possibly to store an appropriate question for each keyword. For example, a question such as "What is the name of the pet you had when you were 10 years old?" could be stored in the Support department together with the correct answer.

When using this method, standard password reset challenge questions such as "What is your father's first name?" should not be used since it is easy to find the answers to such questions.

Verification of identity using information stored in advance

When a user requests a password reset by telephone, it is possible to use information stored when the user registered for the purpose of verifying their identity. This could include, for example, an employee code, date of birth, or similar information. A disadvantage of this method is that most of the information obtained in advance is widely known and can usually be found quickly with a little research on the Internet.

Meeting in person

In this case, the user must go directly to a certain person and request the password reset. Depending on the size of the organisation, this person could be a supervisor, a specialist, or an employee in the Support department.

In any case, this person should be authorised to approve the (re-)granting of access rights and to set them up accordingly or delegate this task to someone else.

Asking someone trustworthy to act as a representative

With this method, the user could ask a colleague, for example, to send a signed email to Support in which the colleague requests the password to be reset. It is then possible to check who sent the request based on the cryptographic signature. If the sender was not actually asked by another user to send the password reset request, then it is possible to prove later on that an attack was made.

The new password could be sent in an encrypted email to the person acting as a representative, who would then inform the corresponding user. In addition, the user should be informed that his/her password was reset so that it is possible to detect an attack if this method is misused.

This approach, though, has the disadvantages that it is only possible in general to detect an attack after the fact and that a third party has knowledge of the reset password.

Resetting to one-time passwords

In general, the Support department should only assign one-time passwords when resetting passwords so that the user has to change this password to a password only the user knows immediately after successfully logging in. In this case, the Support department should make sure not to use the same reset password since such a password quickly becomes common knowledge in an organisation. The character composition of the password should also be complex enough that it is not easy to guess the password.

In addition, the Support department should verify that it is really necessary to reset the password.

Informing a user of the reset password

There are various methods available to inform the employees affected of their new passwords, for example:

Training the Support employees

It is also important for the Support employees to be adequately trained in authorisation management. They should be aware of typical social engineering methods used to gain unauthorised access to information or IT systems, know how to handle problematic cases, and know of flexible possible solutions. Experience has shown that a rigid approach is easier to undermine, especially when the attacker is aware of the approach used, than when the organisation requires the employees to think for themselves. For example, if the organisation specified that user's supervisor must always be informed before a password is reset and this supervisor is not available, then it is better to find a suitable representative than to wait for a long time for the supervisor.

If the protection requirement of the particular password is too high and the Support employee does not want to take responsibility for the password due to the lack of a secure method of informing the employee, then there must be an escalation strategy available for this purpose.

Informing the employees

All users should be informed of what they need to do when they have forgotten a password. In addition, all users should make a record of instances in which they realise that they did not know the correct password when attempting to log in. In addition to simple forgetfulness, such instances could also indicate that an attacker has gained access without authorisation. When in doubt, the users should report such instances to IT Security Management (see S 6.60 Specification of reporting paths for security incidents).

Review questions:

© Federal Office for Information Security. All rights reserved.