In the last article, we discussed how to establish appropriate challenge questions to facilitate password self-service. But that’s just half of the password self-service equation. The other half has to do with initial passwords, which is the topic of this article.

Initial passwords

All users are assigned an initial password of some sort, which must be reset at the first login (our systems are all configured to force the user to reset their password at first login, right?). How the challenge questions are implemented will determine how the initial password is set up. There are two choices:

-        If users are required to register answers to challenge questions, they need to know their initial password

-        If users’ answers to challenge questions are auto-populated from the HR system, they don’t need to know their initial passsword.

Let’s take a look at both options…

Auto-populated answers to challenge questions

Let’s start with the easy one. If HR elements will be used to auto-populate the challenge questions for the user, then a completely random password can be generated and assigned to each user. The user should then be directed to the self-service site to reset their own password.

Clearly, the auto-populated answers option is the best choice, if it is possible. Not only does it avoid the need for mass communications and compliance to get users to answer their challenge questions, but it eliminates the need to communicate an initial password. The organization also has somewhat more control over the quality of the answers. All of these things help on the security front.

User-answered challenge questions

Now for the next best option, which may be the only option for many organizations (sorry). When users are required to register challenge questions before using the self-service system, then they need to know their initial password. While it may seem like a recipe for disaster, there is benefit and time savings to automating the initial password (especially if you have a very large workforce with a high turnover, as we do at our retail stores).

Consider creating a formula consisting of HR elements so that a unique password can be auto-generated and communicated to users via rules. Elements such as date of birth, initials, date of employment, and middle two digits of social security number (among others) can be used to create the formula (special characters or capitalization can be added if needed to ensure the proper level of password complexity). Since the initial password will be used soon after it is generated, elements with long-term risk of change such as street number of current address could also be used. That’s what makes automated initial passwords easier than automated challenge question responses – because the passwords are used soon after time of hire, and only once, you can get away with using data elements that might not be appropriate for answers that persist indefinitely.

The generated password should be cumbersome and unfriendly enough to encourage the user to register on the self-service system and use it to change their password to something more memorable and desirable, but not so complicated that they can’t get it right and end up calling the help desk. Regrettably, this is much easier said than done – more on that in the next article.

If a formulaic initial password is new to the organization, begin using it as soon as possible to get users in the habit. Have your access services team being assigning the initial password per the formula on all new access requests submitted by the users – getting them used to seeing the formula and resultant password will help them transition to the self-service tool. Of course, what I’m describing here may require some work with HR or others to make the necessary data elements available to the people or system that will be auto-generating these passwords.

Now that we have updated password governance, appropriate challenge questions, and a strategy for setting initial passwords, we are ready to start training the users and wrap up the month’s activity. That is the topic for the next article.

About the Author Ioana Bazavan Justus

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.