Discover the euphoria of self-service password reset.
Since the dawn of the technological age, stories have abounded of users writing passwords on Post-It notes and in logbooks. That's because good passwords are hard to devise and even harder to remember. When we concoct one, we hang on to it. What's worse, we use the same username and password everywhere. Many experts believe passwords represent one of the greatest security vulnerabilities; however, they remain a necessary evil. The reality is that passwords will be around for the foreseeable future. And for every password that exists, there's a user who will forget it.
IBM i's integrated password controls are enforced through a number of system values, including the new multi-setting-capable QPWDRULES value introduced in V6.1. If additional flexibility is required, it's possible to accommodate custom rules in a user-written exit program.
A balance must be found between passwords that are easy to remember and ones that are hard to guess. PCI compliance dictates a minimum length of seven characters, yet PowerTech's annual "State of IBM i Security" study still exposes servers that require only single-character passwords.
"Hello? Help Desk?"
So what happens when users forget their passwords? Invariably, they keep trying to sign on until IBM i considers it a possible intrusion attempt and intervenes.
According to Meta Group, each user places an average of 1.75 calls to the help desk each month, or 21 calls per year. Gartner estimates that up to 30 percent of help desk calls are password-related, with each reset racking up between $51 and $147 in labor costs. Another global advisory firm, Forrester Research, estimates $70 per password reset.
Calculating ROI for a security project can be challenging due to intangible benefits. The financial overhead associated with account lockouts can be calculated using a simple equation:
Annual Cost = [(Number of users) * (annual number of help desk calls per user) * (percentage of calls involving password reset) * (average cost per call)]
Using Meta Group's numbers, a mid-sized organization with 1,000 users receives 21,000 help desk calls per year. Of those, 6,300 (30 percent) are for password resets. Applying Forrester's estimate of $70 per call, this represents a staggering expense of $441,000 every year. For large companies, this cost can easily extend into the millions.
Question the Answer
When using a self-service password reset solution, it's critical that the security of the application not be undermined by weak challenge questions.
Answers should not be easily researched from a person's social network or be known to an ex-spouse, friend, or colleague. Examples of weak (yet common) challenge questions include these:
- Your mother's maiden name?
- The name of your oldest child?
Questions should encourage open-ended answers to prevent an intruder from guessing the correct response:
- What kind of pizza do you like?
- What is your favorite color?
Questions shouldn't pertain to information that changes over time:
- Where did you go on vacation last year?
- What was the last movie you saw?
Good security questions have four common characteristics. The answer to a good security question…
- cannot be easily guessed or researched (safe)
- doesn't change over time (stable)
- is memorable
- is definitive or simple
Acquiring a Solution to the Problem on IBM i
PowerTech's acquisition of Safestone Technologies has enhanced its portfolio with several new solutions, including Password Self Help (PSH), a native IBM i solution that enables users to reset their own forgotten passwords and to re-enable their disabled profiles.
When users forget their passwords, instead of contacting the help desk, they sign on with a special self-help profile that walks them through the process of resetting their account (Figure 1).
Figure 1: Allow users to reset their own passwords.
If the required questions are not answered correctly, the account will be suspended. Correctly answered questions result in an enabled profile and a reset password. All account reset activities are audited.
These are just a few of the features in PSH. Allow us to host you for a discussion and live demonstration or download a free 30-day trial and discover how to immediately start recouping lost productivity, scarce help desk resources, and bundles of money. And, as the television commercial says, "Who doesn't want more cash!?"
Visit the PowerTech website to learn more about PSH.