How to safely issue passwords to new users

In this Ask the Expert Q&A, our identity management and access control expert Joel Dubin offers tips on safe password distribution, and reviews the common mistakes that help desks and system administrators make when issuing new passwords.

What is the best method for issuing passwords to new users? I find it unsafe that the help desk or sysadmins give...

out the initial password, even though the user will be prompted to change it after he or she first logs on.

On one hand, what you describe is the proper practice for issuing passwords to new users, or for resetting lost passwords for existing users. Giving out a temporary password that has to be changed on the first log on is the best way to go. On the other hand, giving out a "password" for that initial password isn't such a good idea.

Such a situation can be easily abused by social engineers. If a malicious user, whether inside the company or not, knew this, they could easily call in, claim to need a password reset and impersonate a legitimate user. So what can you do to avoid this?

First, all initial passwords issued should be unique to each user. Help desk staff shouldn't be giving out the same passwords, or passwords based on a simple easy-to-guess formula such as a variation of the user ID.

Most authentication systems, including Active Directory, have a feature that can be set in users' account requiring them to change their passwords after the first log on. In addition, Group Policy Objects (GPO) in Windows Server 2003, for example, can be configured to set a required password length and complexity that will make a user's password harder to guess or crack.

Even then, the security for issuing initial passwords can be improved. Here are some additional suggestions and best practices for your help desk and system administrators:

  1. Always give a unique password to each new user, or existing user requiring a reset. Avoid easy-to-guess formulas.
  2. Set a time limit on the new temporary password. It should only be used once and then must be activated within, say, 24 hours. Otherwise, it expires and the user has to call in again for a fresh password. Don't allow temporary passwords to be permanent or usable forever.
  3. Keep records of all requests for new passwords or resets. Use the records during periodic audits for stale accounts. Check for patterns. Regular requests for resets from the same person or department could be an indication of something fishy.

Generally speaking though, issuing a temporary password that must be changed on the next log on is a best practice for securing user credentials.

More on this topic

  • Do you know your help desk? Make sure you know how to verify password changes coming from system administrators.
  • Learn how personal relationships can threaten your password security.

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing