How to reduce user account lockouts and password resets
It happens every day. Every IT professional has experienced it. You’re working on a detailed project-something urgent that requires massive amounts of concentration-or you are otherwise trying to keep the company ship afloat, and then the request comes in. “My account is locked. Can someone unblock it and reset my password?”
The dreaded account lockout/password reset request. You sigh, stop what you’re doing, then take care of the issue, hoping it’s as simple as communicating the new password to the user and that you won’t get dragged into a headache of subsequent account lockouts, problems picking a new password (“It keeps saying my password isn’t sufficiently complex!”), the new password not being accepted on the system, or some other woeful entanglement that can derail your other efforts.
Let’s be clear: IT is there to support the business. A locked or inaccessible account represents a work-stoppage issue. Employees aren’t there to be paid for doing nothing. Passwords are a necessary way of life, and account lockouts occur for security reasons to reduce threats to company data.
On a one-off basis, sorting these problems out isn’t such a big deal, but some days it might seem as if all you’re doing is password resets-and that negatively impacts your workload (not to mention morale).
Biometric solutions are capable of replacing passwords with fingerprint or retinal scanners for hands-on devices, but this pace is not progressing fast enough to satisfy the time management needs of many IT pros. There are better ways to support the organization by advocating technological and strategic approaches. Here are 10 tips to improve account administration among both administrators and end-users to reduce lockouts and resets.
Tips for administrators
Review your account policies
Your account policies might need tweaking to reduce the incidence of lockouts or password resets. Are your password requirements too stringent? Is password aging (making users wait for a certain time period before they can change their password) set too high? Are password changes being forced too frequently, or not frequently enough? Is it possible to configure accounts to automatically unlock after a certain period of time? As always you should check with your security department before making any changes.
Document the password details
Make sure you clearly document and provide all users your company’s password requirements, rotation schedule, on which system specific accounts and passwords apply, password environment, and any other elements they need to know to maximize their ability to manage their accounts. This should be made available to new hires as well as current employees. Also, be sure to document how much time you or your group spend performing account or password resets.
Use a self-service product
If your security team approves, it’s possible to let users unlock their own accounts and/or reset their own passwords. Manage Engine’s ADSelfService Plus, Jiji Self Service Password Reset ad Specops Password Reset are three examples of commercial products that can handle account unlocking and password resets.
Products of this nature can rely on security questions, the capability to email or text new passwords to end users, and multi-factor authentication, so users must verify their identities before proceeding. Such products are generally easy to set up and administer, making them an ideal investment of time and capital considering the labor savings (and stress reduction) they can provide.
Reduce environmental complexity
Users, as well as IT staff, may have to put up with some real headaches if you have a complex environment. Multiple password “islands”, where some systems utilize standalone authentication, synchronize credentials among a select few other systems, or rely on a centralized server for access can make it difficult to keep track of which ID goes with which password and on what system or service. Thus we rampant in big companies, which often have a slew of in-house and cloud-based systems.
It’s possible to employ a single sign-on solution whereby servers rely on Lightweight Directory Access Protocol to authenticate users against Active Directory domain controllers. There are also third-party products that can perform similar functions, such as Okta Single Sign-On, OneLogin Secure Single Sign-On Solution and Centrify Identity Service.
If you have Linux servers in place, a poor administrator’s solution can be to write a simple cron job rsync the / etc/shadow, etc/passwd, and/ etc/group files from a single source server to the other target servers. Users could then administer their passwords on the source server and these would replicate to all the other systems-say, every five minutes.
Delegate to another group
The simplest solution of all to account/password resets? Don’t do them. Hand them off to someone else. Establish a Tier 1 help desk or another outside party or group and let them own it. Of course, to ensure that this transition is successful, you’ll have to be hard-hearted and resist the temptation to unlock someone’s account “just this once”.
Tips for end-users
I’ll be blunt here and speak from experience: password management isn’t a new concept, so users have to step up and take responsibility for owning their passwords. IT staff routinely has too many fires to fight and goodwill tends to evaporate when you lock your account out with every password change. These tips for end-users should help improve the situation.
Use a password manager
The simplest and easiest way to keep track of your passwords is to use a password manager like KeePass or Password Safe. I’ve used both and they work well for both business and personal account management. Each product is free and uses an encrypted database with a master password (which you should obviously memorize and not write down). You can save passwords and copy/paste them as needed, making it unnecessary to type or even know the password.
Use better password techniques
A few simple tricks can help you pick more effective and useful passwords. A pilot friend uses n eight-character password that always has the same last five characters. He changes the first three characters to an airport code (BOS for Boston, SFO for San Francisco, etc), and just pictures the city representing the airport code when he needs to remember his password.
Mnemonic tricks like this can be useful. Consider using “password phrases” rather than regular passwords. For instance, Orange c0w 3lender (whereby the “o” is replaced by the number “0” and the letter “b” is replaced by the number “3”) is simple to remember and will fit most password requirements. It’s quite easy in Summertime to envision an orange cow handing out a blender of icy beverages. You might also think of a specific phrase-“We love Boston in the Spring 2017”-then pick the first letter of each word to formulate a password like Wlbits2017. This works especially well for the prior tip.
You should also pick passwords with the right “keyboard flow” whereby you type the character in a comfortable pattern-left to right across the keyboard for instance. There’s nothing more awkward than having to peck at keys from all sections of the keyboard and this can result in account lockouts just due to simple typos.
Maintaining good security practices
It may sound like security has no bearing upon managing or remembering your password, but there are subtleties between the two concepts.
If you can avoid it, don’t save passwords such as in a web browser, the old password might end up locking your account if it has changed. (Obviously, this tip could end up producing tedium, such as having to type your email password on your phone every time you want to check your inbox).
Speaking of your email account, guard the password well since your email account likely holds the proverbial “keys to the kingdom” for other accounts because automated password reset notifications will likely go here. If someone compromises your email account they could then use it to reset your password(s) elsewhere and wreak major havoc.
Make sure you’re aware of where you are logged in and on which device and change your password across the board when the time comes. Keep a list if you have to.
Use the same passwords where feasible
This one might be controversial, so let me explain. Of course, using the same password for your email, phone, computer, bank account, credit card accounts, etc. is a very bad idea.
However, if you have access to several tests or other low-level systems that pose no security risk if compromised, using MyPass2017 for your password on all of them is a no-brainer. Update this password across all applicable locations when it changes to ensure consistency.
I manage some systems that don’t notify users in advance that their password will change soon. Therefore, they only find out their password expired when they attempt to log in and this leads to poor password choices or problems authenticating with the new password.
I often recommend users set reminders to change their passwords before they actually expire. This is as simple as creating a recurring Outlook task or appointment.
Also, keep track of when your password will expire even if you do get an advanced notification (such as in Active Directory environments). If you know you’ll be out on that day your password expires be sure to change it before you leave the office.
Resource Credit | TechRepublic