It happens every day. Every IT professional has experienced it. It's inescapable. You're working on a detailed project; something urgent that requires massive amounts of concentration or you are otherwise trying keep the company ship afloat, and then the request comes in. "My account is locked. Can someone unlock it and reset my password?"
Yes, the dreaded account lockout/password reset request.
You sigh, stop what you're doing then take care of the issue, hoping it's as simple as communicating the new password to the user and that you won't get dragged into a headache of subsequent account lockouts, problems picking a new password ("It keeps saying my password isn't sufficiently complex!"), the new password not being accepted on a system or some other woeful entanglement that can derail your other efforts.
Let's be clear: IT is there to support the business. A locked or inaccessible account represents a work-stoppage issue. Employees aren't there to be paid for doing nothing. Passwords are a necessary way of life, and account lockouts occur for security reasons to reduce threats to company data.
On a one-off basis, sorting these problems out isn't such a big deal but some days it might seem as if all you're doing is password resets and that negatively impacts your workload (not to mention morale).
Biometric solutions are capable of replacing passwords with fingerprint or retinal scanners for hands-on devices, but this pace is not progressing fast enough to satisfy the time management needs of many IT pros. There are better ways to support the organization by advocating technological and strategic approaches. Here are 10 tips to improve account administration among both administrators and end users to reduce lockouts and resets.
Tips for administrators
1. Review your account policies
Your account policies might need tweaking to reduce the incidence of lockouts or password resets. Are your password requirements too stringent? Is password aging (making users must wait for a certain time period before they can change their password) set too high? Are password changes being forced too frequently, or not frequently enough? Is it possible to configure accounts to automatically unlock after a certain period of time?
As always, you should check with your security department before making any changes.
SEE: Guidelines for building security policies (Tech Pro Research)
2. Document the password details
Make sure you clearly document and provide all users your company's password requirements, rotation schedule, on which systems specific accounts and passwords apply, password environment and any other elements they need to know to maximize their ability to manage their accounts. This should be made available to new hires as well as current employees.
Also make sure to document how much time is spent by you or your group performing account or password resets. This information may be helpful for the next tip.
3. Use a self-service product
If your security team approves, it's possible to let users unlock their own accounts and/or reset their own passwords. Manage Engine's ADSelfService Plus, Jiji Self Service Password Reset and Specops Password Reset are three examples of commercial products which can handle account unlocking and password resets.
Products of this nature can rely on security questions, the capability to email or text new passwords to end users, and multi-factor authentication, so users must verify their identities before proceeding. Such products are generally easy to set up and administer, making them an ideal investment of time and capital considering the labor savings (and stress reduction) they can provide.
4. Reduce environmental complexity
Users as well as IT staff may have to put up with some real headaches if you have a complex environment. Multiple password "islands," where some systems utilize standalone authentication, synchronize credentials among a select few other systems, or rely on centralized server for access, can make it very difficult to keep track of which ID goes with which password and on what system or service. This is rampant in big companies which often have a slew of in-house and cloud-based systems.
It's possible to employ a single sign-on solution whereby servers rely on Lightweight Directory Access Protocol to authenticate users against Active Directory domain controllers. There are also third party products which can perform similar functions, such as Okta Single Signon, OneLogin Secure Single Signon Solution, and Centrify Identity Service.
If you have Linux servers in place, a poor administrator's solution can be to write a simple cron job to rsync the /etc/shadow, etc/passwd and /etc/group files from a single source server to the other target servers. Users could then administer their passwords on the source server and these would replicate to all the other systems, say every five minutes.
5. Delegate to another group
The simplest solution of all to account / password resets? Don't do them. Hand them off to someone else. Establish a Tier 1 help desk or another outside party or group and let them own it. Of course, in order to ensure this transition is successful you'll have to be hard-hearted and resist the temptation to unlock someone's account "just this once."
Tips for end users
I'll be blunt here and speak from experience: password management isn't a new concept, so users have to step up and take responsibility for owning their passwords. IT staff routinely has too many fires to fight and good will tends to evaporate when you lock your account out with every password change. These tips for end users should help improve the situation.
1. Use a password manager
The simplest and easiest way to keep track of your passwords is to use a password manager like KeePass or Password Safe. I've used both and they work well for both business and personal account management. Each product is free and utilizes an encrypted database with a master password (which you should obviously memorize and not write down). You can save passwords and copy/paste them as needed, making it unnecessary to type or even know the password.
2. Use better password techniques
A few simple tricks can help you pick more effective and useful passwords. A pilot friend of mine uses an eight-character password which always has the same last five characters. He changes the first three characters to an airport code (BOS for Boston, SFO for San Francisco, etc.) and just pictures the city representing the airport code when he needs to remember his password.
Mnemonic tricks of this can be useful. Consider using "password phrases" rather than regular passwords. For instance, 0range c0w 3lender (whereby the letter "o" is replaced by the number "0" and the letter "b" by the number "3") is simple to remember and will fit most password requirements. It's quite easy in the summer time to envision an orange cow handing out a blender of icy beverages. You might also think of a specific phrase - "We love Boston in the spring 2017" then pick the first letter of each word to formulate a password like Wlbits2017. This works especially well for the prior tip.
You should also pick passwords with the right "keyboard flow" whereby you type the characters in a comfortable pattern - left to right across the keyboard, for instance. There's nothing more awkward than having to peck at keys from all sections of the keyboard and this can result in account lockouts just due to simple typos.
3. Maintain good security practices
It may sound like security has no bearing upon managing or remembering your password, but there are subtle ties between the two concepts.
If you can avoid it, don't save passwords such as in a web browser; the old password might end up locking your account if it has changed (obviously this tip could end up producing tedium such as having to type your email password on your phone every time you want to check your INBOX).
Speaking of your email account, guard the password well since your email account likely holds the proverbial "keys to the kingdom" for other accounts, because automated password reset notifications will likely go there. If someone compromises your email account they could then utilize it to reset your password(s) elsewhere and wreak major havoc.
Make sure you're aware of where you are logged in and on which device, and ensure you change your password across the board when the time comes. Keep a list, if you have to.
4. Use the same passwords where feasible
This one might be controversial, so let me explain. Obviously using the same password for your email, phone, computer, bank account, credit card accounts, movie tickets website, social media websites, etc. is a very bad idea.
However, if you have access to several development, test or other low-level systems which pose no security risk if compromised, using MyPass2017 for your password on all of them is a no-brainer. Update this password across all applicable locations when it changes to ensure consistency.
5. Be proactive
I manage some systems which don't notify users in advance that their password will change soon. Therefore, they only find out their password expired when they attempt to log in, and this leads to poor password choices or problems authenticating with the new password.
I often recommend users set reminders to change their passwords before they actually expire. This is as simple as creating a recurring Outlook task or appointment.
Also, keep track of when your password will expire even if you do get advanced notification (such as in Active Directory environments). If you know you'll be out on the day your password expires (such as on vacation) make sure to change it before you leave the office.
Hopefully these tips prove useful to you, whether you manage or use technology. If you have any insights or recommendations to share, please let me know in the comments section!
- How to create stronger passwords by using data-driven feedback (TechRepublic)
- How to make your employees care about cybersecurity: 10 tips (TechRepublic)
- The dumbest passwords people still use (ZDNet)
- Self-serve tools can keep systems current and more secure (Tech Pro Research)
- Ethical Password Hacking and Security (TechRepublic Academy)
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.