Skip to main content

Delegating Password Reset Privileges - Hitachi ID Password Manager

Users with password problems will sooner or later call the help desk for assistance. This is even true after synchronization is deployed, reducing the frequency of password problems, and self-service is deployed, allowing users to solve their own problems.

Help desk analysts answer these calls, and (at least in theory) authenticate the caller and reset one or more passwords.

To reset passwords, the help desk analysts must have some administrative privileges on the system in question. If they don't, then the call will be escalated to a system administrator, which can be slow for the end user and costly for the IT organization.

On many systems, the administrative privileges required to reset passwords are inextricably linked to other administrative privileges -- for example, to create users, or start/stop services, or access any data on the system -- which the help desk analysts do not actually require to do their job.

The security problems that arise when help desk analysts have too many privileges include the possibility of one of them intentionally or accidentially compromising security, plus the possibility that the account of a help desk analyst will be compromised by an intruder. These problems are exacerbated by the large number of help desk analysts in an enterprise-scale organization -- there are more possibly malicious help desk "insiders" and more target accounts for intruders -- and the high turnover rate of the help desk analysts. In a typical organization, help desk staff turnover is around 50% per year.

The principle of least privilege indicates that, where possible, the help desk analysts should not be given these extraneous privileges. Since many systems do not have a means to give out password reset privileges without also giving out other, unrelated rights, an external application can be deployed, to act as an intermediary between the help desk analyst issuing the password reset, and the target system on which it is implemented. With such an intermediary application (Hitachi ID Password Manager), only the application needs to have administrative rights to the target system, and analysts only sign into the application -- not directly into the target system.

Read More:

  • Secure Password Management:
    Passwords are only as good as the weakest link in the password management process.
  • Locking down Password Manager:
    Protecting the Password Manager server, its data and its communications against attack.
  • Password Policy Enforcement:
    Password Manager can enforce a global password policy, ensuring that users choose hard-to-guess passwords, never reuse passwords, and change their passwords regularly.
  • Security vs. Usability:
    The human factor is important when formulating password policies and designing authentication processes.
  • Consistent Authentication Processes:
    Social engineering attacks, packet sniffing and other mechanisms can be used to compromise password security without having to directly crack passwords.
  • Delegating Password Reset Privileges:
    Delegating just the right to reset password to help desk staff or managers, without giving them other, unneeded rights.
  • Audit Logs:
    Audit Trails and transaction logs create accountability in security processes.
  • Authentication Options:
    Authentication processes supported by Password Manager for securely logging in users.
page top page top