The something you know authentication factor typically refers to a shared secret, such as a password or even a PIN. This factor is the least secure form of authentication. If you’re planning on taking the Security+ exam, you should have a basic understanding of the important password security concepts.
For example, can you answer this question?
Q. A user calls into the help desk and asks the help-desk professional to reset his password. Which of the following choices is the BEST choice for what the help-desk professional should do before resetting the password?
A. Verify the user’s original password.
B. Disable the user’s account.
C. Verify the user’s identity.
D. Enable the user’s account.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Here are some of the important password security concepts.
Changing Passwords
In addition to using strong passwords, users should also change their passwords regularly such as every 45 or 90 days. In most systems, technical password policies require users to change their passwords regularly. When the password expires, users are no longer able to log on unless they first change their password.
I can tell you from experience that if users are not forced to change their passwords through technical means, they often simply don’t. It doesn’t matter how many reminders you give them. On the other hand, when a password policy locks out user accounts until they change their password, they will change it right away.
Resetting Passwords
It’s not uncommon for users to occasionally forget their password. In many organizations, help-desk professionals or other administrators reset user passwords.
Before resetting the password, it’s important to verify the user’s identity. Imagine that Hacker Harry calls into the help desk claiming to be the CEO and asks for his password to be reset. If the help-desk professional does so, it locks the CEO out of the account. Worse, depending on the process, it might give Hacker Harry access to the CEO’s account. Organizations use a variety of different methods of identification.
In some systems, help-desk professionals manually change the user’s password. This causes a different problem. Imagine a user calls the help desk and asks for a password reset. The help-desk professional changes the password and lets the user know the new password. However, at this point two people know the password. The help-desk professional could use the password and impersonate the user, or the user could blame the help-desk professional for impersonating the user.
Instead, the help-desk professional should set the password as a temporary password that expires upon first use. This requires the user to change the password immediately after logging on and it maintains password integrity.
Remember this
Before resetting passwords for users, it’s important to verify the user’s identity. When resetting passwords manually, it’s best to create a temporary password that expires upon first use.
Using Password History
Many users would prefer to use the same password forever simply because it’s easier to remember. Even when technical password policies force users to change their passwords, many users simply change them back to the original password. Unfortunately, this significantly weakens password security.
A password history system remembers past passwords and prevents users from reusing passwords. It’s common for password policy settings to remember the last 24 passwords and prevent users from reusing these until they’ve used 24 new passwords.
When implementing password history, it’s best to include a minimum password age setting. For example, a minimum password age of 1 prevents users from changing their password until one day has passed. This prevents users from changing their passwords multiple times to get back to their original password. Chapter 2 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide shows how to implement password history with a minimum password age.
Remember this
You can combine password history with a minimum password age to prevent users from reusing the same passwords. A password history of 24 remembers the last 24 passwords.
Q. A user calls into the help desk and asks the help-desk professional to reset his password. Which of the following choices is the BEST choice for what the help-desk professional should do before resetting the password?
A. Verify the user’s original password.
B. Disable the user’s account.
C. Verify the user’s identity.
D. Enable the user’s account.
Answer is C. Before resetting a user’s password, it’s important to verify the user’s identity.
Users often need the password reset because they have forgotten their original password, so it’s not possible to verify the user’s original password.
It’s not necessary to disable a user account to reset the password.
You would enable the account if it was disabled or locked out, but the scenario doesn’t indicate this is the case.