Problem solve Get help with specific problems with your technologies, process and projects.

Creating a password-reset program with corporate text messaging

Learn how to use corporate text messaging as the cornerstone of an enterprise password-reset program in this expert response from Randall Gamby.

Our enterprise wants to create a more secure password-reset system. I know that some enterprises are able to send password reminders via SMS. Is there a way to set this up at my enterprise without buying a new product?

If you have an email system, then you can create a password-reset program by sending a message to any SMS device,...

assuming the users have registered their telephone numbers and the carriers they use. The issue is: How do you determine that a user's password is about to expire in order to send a reminder?

Assuming this expiration information can be captured, simply create a plain-text email containing fewer than 160 total characters in your email client, and address it to the cellular number at the carrier's email domain. The major US cellular carriers use the following format with a limit of 160 characters in the subject and message body (total): [email protected]_domain.com.

Here are some examples of widely used wireless carrier text message email addresses:

Carrier Send Email to [email protected]
Alltel @message.alltel.com
Cingular/AT&T @txt.att.net
Nextel @messaging.nextel.com
Sprint @messaging.sprintpcs.com
SunCom @tms.suncom.com
T-Mobile @tmomail.net
VoiceStream @voicestream.net
Verizon @vtext.com

Remember: The signature block in the message counts toward the 160 characters.

Also, it's important to note that it's not a good idea to set up a system where a password reminder is sent as an SMS message after a series of failed login attempts, since you can't guarantee the user's system and phone are always separated. If the user loses his or her laptop bag along with the laptop, the person who finds it may be attempting to log in to the user's account. After three failed attempts, if the bag starts to ring when the user's mobile phone receives a message with a new password reset, the attacker will have no problem logging into the machine.

As a final note, SMS password reset systems provide an out-of-band communications method to contact the end user. This method is more secure than the typical in-band methods being used by most organizations; like asking a series of security questions, the answers to which may be easily found by looking on a user's Facebook or LinkedIn profile. But SMS password resets are also dependent on the user's phone being able to accept SMS messages, that the user has a good carrier signal, that the user's phone is charged and operational and that the phone is in the hands of the user and not lost along with his or her workstation. Any of these issues could derail an effective reset process.

For more information:

This was last published in January 2010

Dig Deeper on Password management and policy