There is an annoying tension in IT between security and productivity; complexity and simplicity; passwords and users. The more complex a password is, the more secure it is. And the more likely it will be forgotten. Think about it, who can remember [email protected]? Or type it without your hands cramping?
But, your main goal is to keep your network and data secure so you go with complex passwords. And make users change them monthly. And never allow repeats. Problem solved, hackers beware, you have done your job.
Until the help desk calls start. If you buy that about 33% of all help desk calls are password related, then you just increased your help desk staff by 50% to implement your c0mpl3X password policy (that’s not the new math, it’s how the numbers work).
So how do you balance the two competing forces: the immovable user and the unstoppable password? You go for security but give your users a way to reset their Active Directory password without calling the help desk.
The software to reset Active Directory passwords has to be secure also. Don’t let them answer questions like “what color are your eyes”, do things like “what model bike did you have in high school”. Make sure that you do questions that cannot be determined by looking at the pictures on their desk or checking their Facebook profile.
But make it accessible enough that they’re not going to call the help desk anyway. Have a “forgot password” link posted on the login screen, make it accessible to users trying to VPN, put the secret questions in the correct place on your intranet so that users see it daily. Send reminders to make them enroll. If you allow web based Active Directory updates, integrate the self service password reset questions into that portal.
It is a fine line between security and productivity but you need both. Take a look at how a combination of self service password reset and self service directory updates can help you stay on the optimal part of this line.