What is the best method for issuing passwords to new users? I find it unsafe that the help desk or sysadmins give out the initial password, even though the user will be prompted to change it after he or she first logs on.
On one hand, what you describe is the proper practice for issuing passwords to new users, or for resetting lost passwords for existing users. Giving out a temporary password that has to be changed on the first log on is the best way to go. On the other hand, giving out a "password" for that initial password isn't such a good idea.
Such a situation can be easily abused by social engineers. If a malicious user, whether inside the company or not, knew this, they could easily call in, claim to need a password reset and impersonate a legitimate user. So what can you do to avoid this?
First, all initial passwords issued should be unique to each user. Help desk staff shouldn't be giving out the same passwords, or passwords based on a simple easy-to-guess formula such as a variation of the user ID.
Most authentication systems, including Active Directory, have a feature that can be set in users' account requiring them to change their passwords after the first log on. In addition, Group Policy Objects (GPO) in Windows Server 2003, for example, can be configured to set a required password length and complexity that will make a user's password harder to guess or crack.
Even then, the security for issuing initial passwords can be improved. Here are some additional suggestions and best practices for your help desk and system administrators:
- Always give a unique password to each new user, or existing user requiring a reset. Avoid easy-to-guess formulas.
- Set a time limit on the new temporary password. It should only be used once and then must be activated within, say, 24 hours. Otherwise, it expires and the user has to call in again for a fresh password. Don't allow temporary passwords to be permanent or usable forever.
- Keep records of all requests for new passwords or resets. Use the records during periodic audits for stale accounts. Check for patterns. Regular requests for resets from the same person or department could be an indication of something fishy.
Generally speaking though, issuing a temporary password that must be changed on the next log on is a best practice for securing user credentials.
Dig deeper on Password Management and Policy
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.