What could make a mass password reset even tougher than it already is? Another mass reset months later, when everybody’s password expires at the same time (just like that old container of raspberries you bought last month for your smoothies-for-breakfast regimen).
IT pros who spoke with IT Brew recommended practices to stagger new-password requests, that way the stress gets sprinkled around the calendar rather than placed in one heap of help desk tickets.
“All those incidents are going to fall right on the same day and overwhelm the help desk,” Andrew Topp, director in the enterprise technology and experience practice at West Monroe, told IT Brew, describing one possible scenario.
Just a few years ago, Topp led the digital services company’s incident recovery teams, where he helped orgs “put Humpty Dumpty back together again” following a ransomware attack or cyber incident. Essential to those efforts, he said: resetting passwords.
Organizations like Transport for London, Dick’s Sporting Goods, and the Los Angeles Unified School District (LAUSD) have all reportedly conducted massive resets, following cyber incidents—sometimes requiring in-person reauthentication.
The efforts help to ensure that threat actors, following one end-user compromise, haven’t pulled a full directory of usernames and passwords, Topp said.
“The standard practice that we always took when we were responding to incidents was to always assume that it happened, or [at least] we can’t run the risk that it didn’t. I basically say, ‘Better safe than sorry.’ I’m going to force everybody to run a password reset,” Topp told us.
For Active Directory environments, after the initial all-at-once reset, Topp recommends dividing users into groups and then setting “fine-grained password policies” for each—maybe one group has expirations in 80 days, another in 90, another in 100, for example.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Another Topp tip (sorry): distributing password reset reminders as an expiration approaches; scripts can automate the process.
Amit Patel, SVP at Consulting Solutions, recommends self-service tools—options like Microsoft’s Entra ID, IBM Verify, and BIO-key International’s PortalGuard—that allow employees to reset passwords on their own, following authentication.
“That will help reduce the burden on your help desk, so that way the help desk can actually concentrate on more business-critical items than just password resets,” Patel told IT Brew.
While companies’ policies often include regular password expirations, bodies like the National Institute of Standards and Technologies (NIST) and the UK’s National Cybersecurity Center (NCSC) have advised against the practice of arbitrary resets. New passwords are more easily forgotten and more likely to be written down, the NCSC warned in 2016.
Compensating controls like multi-factor authentication can help to assure IT pros who may be uncomfortable with a longer expiry window, according to Topp. Just don’t exclude any machines, accounts, and trusted network locations, Topp advised; it was not uncommon for his team to find privileged accounts in client environments that didn’t require an MFA prompt, he said.
“They were excluded from the policy that enforced the second challenge, and as a result, were the ones that got targeted for compromise,” Topp told us.
And that means a long day for IT.