There has been some discussion about the initial passwords given to accounts in the enterprise. Too hard and it is written under the keyboard, to easy and everybody knows, and then there are the usual suspects.
And if you use the same password to start and reset accounts can you make the user change it or will that come back to punish you. The solution I outline below is for organizations that don’t or can’t install a web based password reset system. Many web based services already have a self service system in place.
To try and combat the simple password being used at the start and left as the password for evermore I would offer this as a possible solution.
We need to assign a password to user accounts when they are created. We need that password to be easy to get to the user. We need the user to change the password to a sufficiently complex password to discourage brute force attacks password attacks and secure our data.
In discussing the issues around initial passwords some problems have been found.
Using a standard password when creating an account and then requesting the patron change the password has mixed results. Some never change the password. When using a formula or simply an initial password means that anyone ever hired may have access to the account of others.
One method to combat this could be.
- Generate a list of eight character random password for the initial account or forgotten password use.
- Define a period of use, one month as an example.
- Assign a different password for each month.
- Only use the password assigned for that month when creating or resetting passwords.
- Do not reuse last year’s passwords, generate a new set each year.
This method should cause the user to change their password rather than try to remember the random one. It should also minimize the possibility of account theft by changing the initializing password each month.
This combined with a minimum password length and composition. Capitals, numbers and eight characters may make your process more secure or at least less leaky.