To prevent being victimized by hackers, help desk workers need education and password management solutions. Securing help desks is an important part of going beyond the simple deployment of a “password reset tool”. In my last job before I joined the Web Active Directory team, I had to contact the help desk a few times after my password had expired. I was surprised each time when I was connected with an individual who I knew from previous encounters was quite technically adept. He was probably a fairly high paid individual doing some pretty mundane data-entry tasks. I just needed my password reset to a new one.
Maybe Self-Service Password Management Isn’t For Everyone?
But maybe I get it. Maybe a company doesn’t want to allow their end-users to reset or change their passwords or unlock their accounts themselves even if they had a solution that can validate users with multi-factor authentication like Web Active Directory’s PeoplePassword. Maybe they just haven’t thought about it that much. I was shocked at the probable cost to the company from me having to call the help desk. (Especially considering the number of end-users like me they had to manage.) But this wasn’t the only thing that shocked me.
Good Password Management isn’t just about Self-service
Two things about that encounter shocked me:
- The help desk reset my password to an easily guessable pattern. I didn’t have to change it immediately. It wasn’t going to expire anytime soon.
- When I called the help desk made no attempt to make sure I was actually “me”.
Unfortunately we see breaches happening and the ramifications of this in many parts of society these days. In hindsight my experience wasn’t safe enough for the company or for me. The company didn’t think about securing help desks. Good hackers may or may not be able to break secure systems but they can certainly take advantage of insecure ones. Car thieves victimize those who have left their car unlocked and don’t risk cars with good security systems. Imagine if someone called up and posed as the CEO needing a password reset? For someone practiced in the art of social engineering it’s not difficult.
Securing Help Desks with PeoplePassword
A good password management solution isn’t just about self-service. With software like Web Active Directory’s PeoplePassword you can empower your help desk to verify users with multi-factor authentication (including verification through SMS, challenge questions, email, etc.) as well as enforce good, sound password policies to give you a better chance against breaches of your user’s accounts and their data. This leaves you less open to the high cost of liability in these cases.