Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > How to safely issue passwords to new users
Ask The Security Expert: Questions & Answers
EMAIL THIS

How to safely issue passwords to new users

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 21 September 2006
What is the best method for issuing passwords to new users? I find it unsafe that the help desk or sysadmins give out the initial password, even though the user will be prompted to change it after he or she first logs on.

>
On one hand, what you describe is the proper practice for issuing passwords to new users, or for resetting lost passwords for existing users. Giving out a temporary password that has to be changed on the first log on is the best way to go. On the other hand, giving out a "password" for that initial password isn't such a good idea.

Such a situation can be easily abused by social engineers. If a malicious user, whether inside the company or not, knew this, they could easily call in, claim to need a password reset and impersonate a legitimate user. So what can you do to avoid this?

First, all initial passwords issued should be unique to each user. Help desk staff shouldn't be giving out the same passwords, or passwords based on a simple easy-to-guess formula such as a variation of the user ID.

Most authentication systems, including Active Directory, have a feature that can be set in users' account requiring them to change their passwords after the first log on. In addition, Group Policy Objects (GPO) in Windows Server 2003, for example, can be configured to set a required password length and complexity that will make a user's password harder to guess or crack.

Even then, the security for issuing initial passwords can be improved. Here are some additional suggestions and best practices for your help desk and system administrators:

  1. Always give a unique password to each new user, or existing user requiring a reset. Avoid easy-to-guess formulas.

  2. Set a time limit on the new temporary password. It should only be used once and then must be activated within, say, 24 hours. Otherwise, it expires and the user has to call in again for a fresh password. Don't allow temporary passwords to be permanent or usable forever.

  3. Keep records of all requests for new passwords or resets. Use the records during periodic audits for stale accounts. Check for patterns. Regular requests for resets from the same person or department could be an indication of something fishy.

Generally speaking though, issuing a temporary password that must be changed on the next log on is a best practice for securing user credentials.

More information on passwords:

  • Do you know your help desk? Make sure you know how to verify password changes coming from system administrators.
  • Learn how personal relationships can threaten your password security.


    • BROWSE BY TAG
    Identity Management and Access Control,   Password Management and Policy,   Enterprise Identity and Access Management,   Identity Management Technology and Strategy,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    How to find and remove keyloggers and prevent spyware installation
    How to encrypt passwords using network security certificates
    Prevent meet-in-the-middle attacks with TDES encryption
    How to use single sign-on (SSO) for a server configuration
    Choosing management for Active Directory user provisioning
    LDAP signing requirements for various directory configurations
    User account best practices for an investment management website
    How to determine password strength for a website
    The pros and cons of implementing smart cards
    Keep files from being deleted by assigning read and execute permission

    Password Management and Policy
    Torrent phishing scheme trips up Twitter users
    Microsoft, security firms warn of password meltdown
    How to find and remove keyloggers and prevent spyware installation
    How to encrypt passwords using network security certificates
    Two-factor authentication, vigilance foil password theft
    Group to shed light on secure identity management threats
    How to determine password strength for a website
    Prevent password cracking with password management strategies
    Brute force attacks target Yahoo email accounts
    Best Identity and Access Management Products

    Expert Archive: Identity Management and Access Control
    Enterprise password management policy: Finding the balance
    How to conduct a periodic user access review for account privileges
    Options for a mechanical door security system on a server room door
    Comparing access control mechanisms and identity management techniques
    User provisioning and SSO for PeopleSoft- and Unix-based products
    Could someone place a rootkit on an internal network through a router?
    Should a new user have to confirm an email address to gain access?
    Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
    What should an enterprise look for in a password token and a vendor?
    Using batch files for temporary user access to the local admin group

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    graphical password  (SearchSecurity.com)
    identity access management (IAM) system  (SearchSecurity.com)
    identity chaos  (SearchSecurity.com)
    masquerade  (SearchSecurity.com)
    onboarding and offboarding  (SearchSecurity.com)
    OpenID  (WhatIs.com)
    salt  (SearchSecurity.com)
    session replay  (SearchSecurity.com)
    single-factor authentication (SFA)  (SearchSecurity.com)
    war dialer  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2010, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts