What is the best method for issuing passwords to new users? I find it unsafe that the help desk or sysadmins give out the initial password, even though the user will be prompted to change it after he or she first logs on.
On one hand, what you describe is the proper practice for issuing passwords to new users, or for resetting lost passwords for existing users. Giving out a temporary password that has to be changed on the first log on is the best way to go. On the other hand, giving out a "password" for that initial password isn't such a good idea.
Such a situation can be easily abused by social engineers. If a malicious user, whether inside the company or not, knew this, they could easily call in, claim to need a password reset and impersonate a legitimate user. So what can you do to avoid this?
First, all initial passwords issued should be unique to each user. Help desk staff shouldn't be giving out the same passwords, or passwords based on a simple easy-to-guess formula such as a variation of the user ID.
Most authentication systems, including Active Directory, have a feature that can be set in users' account requiring them to change their passwords after the first log on. In addition, Group Policy Objects (GPO) in Windows Server 2003, for example, can be configured to set a required password length and complexity that will make a user's password harder to guess or crack.
Even then, the security for issuing initial passwords can be improved. Here are some additional suggestions and best practices for your help desk and system administrators:
Generally speaking though, issuing a temporary password that must be changed on the next log on is a best practice for securing user credentials.
10 Oct 2006