Password reset questions are essential for your users to manage their access. Without this option in place, you will end up forcing users to contact the help desk much more often. As with other security processes, it is easy to make password reset questions too complicated or difficult to use. To make life easier for your employees, use these password management tips to balance the need for security and business productivity. Set an appointment on your calendar for two hours to explore these seven tips. You’re guaranteed to find security improvement options!
1) Offer 5 Pre-made Questions
Users already have to come up with a password that meets your complexity requirements. That’s why you should password reset questions easier to manage. Keep in mind that some hackers will attempt to gain unauthorized access by cracking password reset questions. Therefore, you will want to avoid easy to guess questions (e.g. “what color is your car?”).
As a starting point, use these standard password reset questions to get started.
- What was the name of your first manager at your first job?
- What was your favorite subject in high school?
- What is your employee ID number?
- Where did you go on your favorite vacation as a child?
- What is the name of the road you grew up on?
Tip: If somebody can guess an answer to a question by checking a person’s LinkedIn or Facebook profile, that is a sign you have a terrible reset question. Go back to the drawing board to generate more reset question ideas.
2) Offer User-Created Password Created Questions
While more complex to administer, providing user-created password questions is an excellent idea. In this case, you are empowering your employees. However, there is a risk to keep in mind. Some employees may choose questions and answers designed solely for convenience (e.g. “what is my name?”). Reduce the risk of high-risk password questions by offering examples of effective and ineffective password reset questions.
3) Define the Number of Acceptable Attempts
In password management, it is standard practice to give users one to three login attempts before locking them out. The same method also needs to apply to password reset questions. Without this precaution in place, you will end up exposing your organization to increased hacking risk. As a rule of thumb, we recommend limiting answer attempts to no more than three. After that, direct users to contact your help desk for password support.
4) Make It Easy to Access Password Resets
Employees need to be able to find your password reset tool easily. Fortunately, this is simple to implement. Add a link to a password reset on your login pages. In some cases, you may not be able to add this link to application and system logins. In those cases, add a prominent link to your password reset tool on your IT security or IT help desk webpage on your intranet.
Tip: Does your organization use tools like Slack and Skype? In that case, use Apollo to provide 24/7 password resets directly through these collaborative tools.
5) Require Answers Be Entered Twice During Setup
During password setup, users are generally required to enter their password twice. This practice is a simple way to help users to memorize their new passwords. Therefore, apply the same discipline to your password reset questions. Users who enter the answers to security questions twice are more likely to remember them.
6) Expire Password Reset Questions For High-Risk Access
In IT security management, there are different risks to manage. For example, controlling read-only access to a system is relatively low risk. On the other hand, there is a high risk associated with “system admin” or privileged user access to a finance system or customer relationship management system. These distinctions are relevant to password reset questions. Once you identify your high-risk systems, require employees to update password reset questions periodically, such as every six months.
7) Supplement Passwords With Other Authentication Options
Convenient, easy to use password reset questions are helpful. That said, it is important to realize the limitations of passwords, even highly complex passwords. Once you have fine-tuned your password system, your IT security work is not done. Specifically, you need to look at supplemental security systems like multi-factor authentication.
Multi-factor authentication (also called two-factor authentication) is an excellent way to add further security to password changes. Let’s say a determined hacker gains system access by guessing the answers to password reset questions. In a simple system, that hacker would be seconds away from accessing your systems. However, you can stop many of those attacks by adding in multi-factor authentication.
Beyond Password Reset Questions: Two Ways to Make IT Security Easier For Your Employees
Protecting your organization from security threats requires constant vigilance. If you’ve never offered security training to staff, start with employee password training. That will help raise awareness for security and the role everyone plays in security. Beyond employee training and support, adding more IT security automation software is helpful.
Reduce The Number of Passwords Employees Need to Remember
Companies that expect employees to memorize dozens of corporate passwords are asking for trouble. For non-security professionals, keeping track of passwords is a significant hassle. To reduce the burden on your employees, put a single sign-on (SSO) software solution in place. That means your employees only have to keep track of a single password to get their work done.
Make Password Resets Embarrassment Free and Fast For Employees
Nobody enjoys looking foolish. That human reality applies to passwords. Some of your employees are going to be reluctant to ask for password resets. Therefore, they might write down passwords in notebooks, scraps of paper or phones. These practices increase the chance of passwords falling into the wrong hands. Do your employees a favor by making it embarrassment free to get a new password. Simply use Apollo, a specialized IT security chatbot, to get support. Instead of waiting on a phone queue, users can get password help by Slack, Skype, intranet and other ways.
