Q

How to safely issue passwords to new users

In this Ask the Expert Q&A, our identity management and access control expert Joel Dubin offers tips on safe password distribution, and reviews the common mistakes that help desks and system administrators make when issuing new passwords.

What is the best method for issuing passwords to new users? I find it unsafe that the help desk or sysadmins give

out the initial password, even though the user will be prompted to change it after he or she first logs on.

On one hand, what you describe is the proper practice for issuing passwords to new users, or for resetting lost passwords for existing users. Giving out a temporary password that has to be changed on the first log on is the best way to go. On the other hand, giving out a "password" for that initial password isn't such a good idea.

Such a situation can be easily abused by social engineers. If a malicious user, whether inside the company or not, knew this, they could easily call in, claim to need a password reset and impersonate a legitimate user. So what can you do to avoid this?

First, all initial passwords issued should be unique to each user. Help desk staff shouldn't be giving out the same passwords, or passwords based on a simple easy-to-guess formula such as a variation of the user ID.

Most authentication systems, including Active Directory, have a feature that can be set in users' account requiring them to change their passwords after the first log on. In addition, Group Policy Objects (GPO) in Windows Server 2003, for example, can be configured to set a required password length and complexity that will make a user's password harder to guess or crack.

Even then, the security for issuing initial passwords can be improved. Here are some additional suggestions and best practices for your help desk and system administrators:

  1. Always give a unique password to each new user, or existing user requiring a reset. Avoid easy-to-guess formulas.
  2. Set a time limit on the new temporary password. It should only be used once and then must be activated within, say, 24 hours. Otherwise, it expires and the user has to call in again for a fresh password. Don't allow temporary passwords to be permanent or usable forever.
  3. Keep records of all requests for new passwords or resets. Use the records during periodic audits for stale accounts. Check for patterns. Regular requests for resets from the same person or department could be an indication of something fishy.

Generally speaking though, issuing a temporary password that must be changed on the next log on is a best practice for securing user credentials.

More on this topic

  • Do you know your help desk? Make sure you know how to verify password changes coming from system administrators.
  • Learn how personal relationships can threaten your password security.
This was first published in October 2006

Dig deeper on Password Management and Policy

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close