Authlogics Authlogics
  • Solutions
    • Password Security Auditing
    • Password Policy Compliance
    • Password Breach Database
    • Passwordless Authentication
    • Deviceless OTP
    • Single Sign-On
    • Cloud Protection
      • Amazon Web Services
      • Azure and Office 365
    • Helpdesks
    • Retail Banking
    • Transaction Verification
  • Products
    • Password Security Management
    • Multi-Factor Authentication
      • Authenticator Mobile App
      • PINgrid
      • PINphrase
      • PINpass
      • Yubikey
    • System Agents
      • ADFS Agent
      • Domain Controller Agent
      • Exchange Agent
      • Remote Desktop Agent
      • Windows Desktop Logon Agent
  • Resources
    • Demonstration
    • Whitepapers
    • Datasheets
    • Case Studies
    • Use Cases
    • Pricing
    • Blog
    • UK Government: G-Cloud
  • Partners
    • Find a Reseller
    • Find a Distributor
    • Technology Partners
    • Become a partner
    • Password Security Portal
  • Company
    • Contact Us
    • Intellectual Property
    • About Us
  • Support
    • Downloads
    • Documentation
    • Knowledge Base
    • Community
    • Log a call
Authlogics Authlogics
  • Solutions
    • Password Security Auditing
    • Password Policy Compliance
    • Password Breach Database
    • Passwordless Authentication
    • Deviceless OTP
    • Single Sign-On
    • Cloud Protection
      • Amazon Web Services
      • Azure and Office 365
    • Helpdesks
    • Retail Banking
    • Transaction Verification
  • Products
    • Password Security Management
    • Multi-Factor Authentication
      • Authenticator Mobile App
      • PINgrid
      • PINphrase
      • PINpass
      • Yubikey
    • System Agents
      • ADFS Agent
      • Domain Controller Agent
      • Exchange Agent
      • Remote Desktop Agent
      • Windows Desktop Logon Agent
  • Resources
    • Demonstration
    • Whitepapers
    • Datasheets
    • Case Studies
    • Use Cases
    • Pricing
    • Blog
    • UK Government: G-Cloud
  • Partners
    • Find a Reseller
    • Find a Distributor
    • Technology Partners
    • Become a partner
    • Password Security Portal
  • Company
    • Contact Us
    • Intellectual Property
    • About Us
  • Support
    • Downloads
    • Documentation
    • Knowledge Base
    • Community
    • Log a call

Is This The Poorest Password Reset Process Ever?

Steven Hopeon 19th June 2017

Just as complete strangers will not think twice about discussing their embarrassing ailments as soon as they discover someone is a doctor, the same can be said of IT security professionals. Was an email a scam? Should I have clicked on that link? Is online banking safe? What antivirus do you recommend? The list is endless. These days I am rarely surprised, however, one story I was told by a supplier last week took me aback.

He was contracting for an organisation and had been given web-based email access. To login each day he would go to the website type his email address and password. This password lasted 30 days and would need to be changed. Typically, day 30 came and went and when he tried to login one morning he was prompted for a password reset. The trouble was every time he attempted to do so he failed. He called the service providers helpdesk and the conversation went along the lines of….

Caller: “Hi. My password has expired but I can’t reset it myself. Can you help?

Helpdesk: “Of course. What is your email address?”

In the interests of being discreet I won’t share this part of the conversation. But he assures me the only thing he told the helpdesk was his email address.

Helpdesk: “No problem. What would you like you new password to be?”

Astonishingly, all he needed to change the password and gain access to his email account (which by the way contains an amount of sensitive information) was his email address. No other form of identification was requested. I questioned whether his phone number may have been registered with the company, but he wasn’t using his work phone as it had a poor reception. To add insult to injury, the password he asks them to set is exactly the same as password he had been using for the past 30 days. Which begs the question – Why have an expiry date in the first place?

Helpdesk: “That is all done for you. Have a nice day.”

Caller: “Thank you.”

On the plus side the call was quick (so the helpdesk cost was minimal), he got access to his emails with little inconvenience and no harm was done. However, the story could have panned out very differently, if it had been someone else with an ulterior motive on the line.

This experience shows how today passwords are by and large seen by everyone as a necessary and unavoidable inconvenience. But this should not be the case. In this instance, he should never have needed to trouble the helpdesk (no matter how quickly they were able to resolve the issue) because we shouldn’t be still relying on passwords to ‘secure’ our systems – not when they are so many better alternatives.

The large and long-term challenge we as authentication professionals have, is to breakdown this apathy, whilst at the same time educating organisations, that replacing passwords doesn’t have to mean increasing complexity, adding more factors and increasing costs. In fact, the opposite is often the case.

Here is how the login process should happen

He opens his laptop and Internet browser and goes to his email login page, where he is asked to enter a one-time-code (OTC). Using his phone he opens his PINgrid app and looking at the pattern he previously set and memorised, and enters the corresponding numbers in to the website (these numbers are his OTC). He is now logged in to his email. What’s more it wouldn’t matter if his phone had no signal as the app works offline. And, every time he logs in the app creates a new OTC, so not only is it more secure, but there is no need to perform a passw reset every 30 days.

I never tire of hearing new security horror stories, but I hope that before too long they will become few and far between. There really is no excuse for or reason for anyone to still be using passwords.

Author: Steven Hope, Authlogics

in Uncategorised
tags: Passwords
  • Previous

    Infosec – were you spoilt for choice?

  • Next

    Authlogics New Suite Provides Three Authentication Technologies and Factors in one License

Recent Posts

  • 3.2 billion credentials (emails and passwords) rinsed up, cleaned out and COMBed
  • PRESS RELEASE: Authlogics Partners with Westcoast to Deliver Passwordless Authentication Solutions in the UK, Ireland, and Europe
  • Reflection & Prediction
  • Analyzing the Cit0day breach
  • Read all about it – your ‘Audit’ here!

Recent Comments

  • Authlogic Password Security Management Offer with CyberWhite - CyberWhite on Multi-Factor Authentication
  • Authlogic Password Security Management Offer with CyberWhite - CyberWhite on Password Security Auditing
  • Authlogic Password Security Management Offer with CyberWhite - CyberWhite on Password Security Management
  • Weekly Update 216 | Spyware.ws on Corporate Password Security with Troy Hunt
  • Weekly Update 216 | AdwareSearch.com on Corporate Password Security with Troy Hunt

Archives

  • February 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • May 2020
  • April 2020
  • February 2020
  • January 2020
  • December 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • January 2019
  • September 2018
  • January 2018
  • October 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015

Categories

  • Authentication
  • Business
  • Compliance
  • Customer Experience
  • Data Breach
  • Download
  • Implementation
  • Management
  • Marketing
  • Multi Factor Authentication
  • Password
  • Password Replacement
  • PIN
  • Remote Working
  • Security
  • Strategy
  • Uncategorised

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Contact us

UK: +44 1344 568 900
US: +1 408 706 2866

sales@authlogics.com
info@authlogics.com

Visit us

Access Office Suites, Willoughby Road,
Bracknell, Berkshire, RG12 8FP, UK

Map it »

1551 McCarthy Blvd, Suite 215,
Milpitas, CA, 95035, US

Map it »

Follow on

Legal information

Privacy Policy
© Authlogics Ltd. All Rights Reserved.