The calculus is pretty established that complex passwords = better security. The corollary to this is that complex passwords = more help desk calls. This is just one of those truths due to the fragility of human memory.
So software has evolved to solve this equation. Understanding that passwords will be forgotten and that help desk calls are expensive, self service password reset software has emerged.
To allow your end users the ability to reset their Active Directory password, you need to authenticate them in some way. You need to know something about them that only they (and your encrypted database) know.
The most accepted method for this is the security question(s). Your users enroll in the self service password reset software by answering a series of pre-set questions that supposedly only they know the answers. The problem isn’t with the method, it’s with the questions.
Anything that I can find out from the user’s Facebook profile or the pictures at their desk is BAD. Anything that I’d need a team of CIA interrogators to figure out is good. Don’t even give your users the option of car or eye color or girlfriend’s name or Father’s middle name. Sure, they can remember it, but the bad guys can also figure it out.
These guys over at Good Security Questions have created a pretty good list of acceptable questions. Keep in mind, the more difficult you make it to remember the answers, the more likely your going to run into the same help desk call scenario, but a bit of security is worth that cost.
Imanami’s own Active Directory Password Reset product, GroupID Password Center, allows the admin to set how many questions the user will have to answer and gives the ability to customize questions for maximum security.
Fix the “complex password = help desk calls” equation by offering Pasword Center while keeping the equation “complex password = good security” by making sure your security questions are as well thought out and secure as you Active Directory password policy.