Understanding Password Reset Requests

In this section, you will learn about password reset requests. This is primarily geared toward people in the IT industry. So, as an IT professional, chances are you’re going to get requests from all sorts of avenues. People are going to call, email you, and may even show up in person for password requests.

So, how do you handle password reset requests?

First and foremost, stop. Before you even try to reset a password for a user, verify the user’s identity and status. You need to ask yourself a couple of simple questions. What is the user’s current work status? Are they actually still working? Were they let go for whatever reason? Can you identify who the user is? And did the user forget their password or was it compromised?

1. What is the user’s current work status? Was a user account disabled or has a password been changed intentionally? If you’re not in a position to be aware of that information, it’s worth taking the time to verify that. Things do happen; and in corporations, people get let go, people are under investigation for whatever reason, accounts might be changed or might be disabled while they investigate it. The last thing you want to do is re-enable an account or re-enable the password and allow access to that particular user if it was disabled intentionally. So again, verify that information before you go ahead and reset a password.
2. Can you identify who the user is? Is there a policy in place identifying who the users are that you’re changing the password for? Are they there in person? Is it over email? Is it over the phone? Can you verify their ID, verify their email address, or verify the phone number that they’re calling from? Checking this is important because impersonations do happen, especially over email or phone. So, verify the identity of the user before you reset the password. Otherwise, your network could easily become compromised.
3. Did the user forget their password or was it compromised? If the user account was compromised, have the user sign out of all services. For example, Gmail: you can go in and log out of everything. Verify the network logins between the time that the person lost control of their account. Find out when they discovered the account password was changed. All these things are going to be important because if the user lost control of their account and password, your network may be compromised. Go through and verify that nothing was compromised and that the network and user’s account is still safe.

Asking yourself these critical questions will help you to carry out your actions safely and ultimately protect the end-user, too.

Reflect and share: Have you experienced this? Did you receive a request, or did you send a request? If you sent a request, was your identity verified? Share your experience with your fellow learners below.