Such a situation can be easily abused by social engineers. If a malicious user, whether inside the company or not, knew this, they could easily call in, claim to need a password reset and impersonate a legitimate user. So what can you do to avoid this?
First, all initial passwords issued should be unique to each user. Help desk staff shouldn't be giving out the same passwords, or passwords based on a simple easy-to-guess formula such as a variation of the user ID.
Most authentication systems, including Active Directory, have a feature that can be set in users' account requiring them to change their passwords after the first log on. In addition, Group Policy Objects (GPO) in Windows Server 2003, for example, can be configured to set a required password length and complexity that will make a user's password harder to guess or crack.
Even then, the security for issuing initial passwords can be improved. Here are some additional suggestions and best practices for your help desk and system administrators:
- Always give a unique password to each new user, or existing user requiring a reset. Avoid easy-to-guess formulas.
- Set a time limit on the new temporary password. It should only be used once and then must be activated within, say, 24 hours. Otherwise, it expires and the user has to call in again for a fresh password. Don't allow temporary passwords to be permanent or usable forever.
- Keep records of all requests for new passwords or resets. Use the records during periodic audits for stale accounts. Check for patterns. Regular requests for resets from the same person or department could be an indication of something fishy.
Generally speaking though, issuing a temporary password that must be changed on the next log on is a best practice for securing user credentials.
More information on passwords:
This was first published in October 2006