locks on a fence

A Windows Password Reset To Save Your Sanity

3 minute read
Erika Morphy avatar

Washington DC-based Thycotic has upgraded its Thycotic Password Reset Server to offer functionality for Office 365 along with its traditional Active Directory support.

As an added bonus, it’s offering some workarounds to save the password-challenged among us a little bit of sanity.

There is also a new help desk support portal included with the goal of freeing up help desk resources from account lockout requests.

The server lets corporate users reset their Active Directory and Office 365 passwords from the login screen or, if the worker is remote, via a web browser.

Enhanced Security

The process maintains the company's governance controls and security processes and in some instances even enhances them, Nathan Wenzler, executive director of Security for Thycotic, told CMSWire.

That is due to the inclusion of auditing tools that report on who is requesting the password reset, where this person is, and even how many times in a set period he or she has to redo the password.

Also, the role-based controls can be configured so the help desk staff doesn’t have direct access to Active Directory and the credentials, which is a security plus, he said. "It is another buffer of auditable, managed control."

Frantically Trying to Recall 8th Grade

Implementation is easy enough: the web-based front-end of the server is a basic install on top of Microsoft and Thycotic does the synchronization process to Active Directory and Office 365.

Then comes the configuration, which the company is also billing as user friendly.

"You can make changes to the roles or controls at this point," Wenzler said.

The user can also custom create the security questions and answers to gain access after a lock-out — a relief to anyone who has struggled to remember what she responded 60 or 90 days ago when asked “who her best friend was in eighth grade.”

Learning Opportunities

The real answer? Who can remember that far back! Another, even more accurate answer? What month in eighth grade are we talking about because they rotated with frequency!

Wenzler is sympathetic to the dilemma posed by eighth-grade best friend question.

"These questions can be a problem," he said, even though they are rooted in good intentions. What IT is doing is crafting questions obscure enough so that the answers wouldn’t come up in normal conversation in order to prevent social engineering hacks, he explained.

The flip side, though, is that the system can become unusable if people can't remember the answers they provided about their nursery school cohorts or their gerbil’s name in 1995.

"The security industry is trying to strike a better balance between these questions and usability," Wenzler said.

Thycotic's Balance

This is the approach Thycotic used with its new iteration of Password Reset Server.

  1. End users can synchronize their Active Directory and Office 365 accounts during the password reset.
  2. If end-users are completely and utterly stumped with every security question posed to give them access (hey, it can happen especially if your password must automatically change every 60 or 90 days), the server can be configured to allow help desk staff to direct login access.
  3. There is Active Directory attribute integration, which allows IT administrators to preload answers for users during the setup process using attributes in Active Directory, such as the employee's office phone or corporate address.

Presumably, the user can recall those answers and if not — well, that is perhaps an issue best handled by an entirely different group of professionals.