Password reset software is essential to a company’s ability to maintain the security of its information, but if not mapped out properly, the solution itself can yield an entire crop of vulnerabilities.
This was a lesson learned the hard way by Apple last month. As reported in The Verge, Apple was forced to close a major flaw in its self-service password reset tool known as iForgot when it was discovered that all that was needed to change people’s passwords was their date of birth and email address.
According to The Verge:
“The exploit involves pasting in a modified URL while answering the DOB security question on Apple’s iForgot page. It’s a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand. Out of security concerns, we will not be linking to the website in question.”
The Verge reported that as late as the end of March, there still existed an online tutorial of how to exploit this seriously under-secured tool, thereby compromising the password management of all Apple’s cloud-based offerings including iTunes and iCloud. While the outlet did not provide the link to the tutorial, it still served as a wake-up call for Apple about its password reset tools. Since these details are hardly state secrets for anybody, it left user accounts vulnerable and hackers would have been able to feast upon the fruits of Apple customers.
Organizations that employ an automated password reset tool should be more cognizant of how these passwords are harvested. Cultivating a successful password management solution requires the following steps:
- Plowing Under Human Password Weaknesses: Users frequently trade network security for convenience by choosing simple and easy-to-remember passwords even if strong written policies are in place. This was Apple’s problem — allowing such common personal data to be the key to engaging the password reset tool. Organizations need to establish strong password policies that reject passwords that contain things like common words, palindromes, proper names (particularly the user’s name) and simple numeric patterns in favor of passwords that use upper and lower case characters, special characters and numeric characters.
- Don’t Over-Work the Passwords: While the password needs to be necessarily complex, it should not be so complex that users constantly forget their own passwords. Publish a password policy and utilize tools that help users easily meet the policies you automatically enforce. With this, a user is notified of what is needed to create a strong password should the one they enter fail the policy. This feedback should be detailed and give the user the necessary information to create their own passwords — ones they can remember — to meet the network policy.
- Individual Attention for Users: Self-service password reset allows users to securely reset their forgotten passwords, unlock their accounts or reset their RSA SecurID PIN in a matter of seconds without burdening the help desk with active directory and other critical system password reset requests.
- Irrigating the Entire Field of Apps: By employing password synchronization, organizations ensure that users will have the same passwords across all applications and systems to which they have access. The administrative benefit is only one password for each employee needs to be remembered. From a user perspective, most users are more likely to accept one complex, hard-to-crack password than several, even if they are easy because it is considerably more convenient to only need to remember one password.
- Applying Pesticides: Encryption may not be a characteristic of enterprise password management software, but organizations can certainly make their passwords more effective by encrypting all data before it goes over the network. Also, encryption and secure one-way hashing of personal employee enrollment data provides increased security and privacy. End user identity verification is systematically applied through all self-service password reset software interfaces.
Since the hackers have become fruitful and have multiplied over the years, organizations need to establish adequate fences of password management around their information. Just how sophisticated the password reset software that comprises those fences is could determine whether or not that information winds up as a bountiful harvest or a security nightmare.
Watch the Avatier Password Management Product Introduction video to learn more about our password reset software solutions:
Learn the Top 10 Password Management Best Practices for successful implementations from industry experts. Use this guide to sidestep the challenges that typically derail enterprise password management projects.