2

I implement simple user management. How an administrator should reset password for a user? Just provide a new password for a user (as in Active Directory)? Is it secure enough?

Added

Is it secure enough to do it as Active Directory only to type twice a new password? I wanted to create a dialog with 3 fields: user email, new password and retype new password. Is it better to prevent attacks?

Improve this question

1 Answer 1

Reset to default
4

This question is rather broad and hard to answer with so few details. It really depends on your organization's setup, but I'll try to give a general answer:

It's always better for a user to type in their own password rather than having an admin create a "temporary password". The main reasons for this (as far as I know) are:

1. The admin could perform actions under the user's name while the temporary password is set. If non-repudiation is a legal concern for your organization, then this matters. Often an admin has the power to impersonate a user anyways, so it doesn't matter.

2. How to get the temporary password to the user? Email is a terrible idea because it it insecure. Out-of-band methods (ie non-digital) are preferable, such as printing it and physically handing it to them, telling them the temp password over the phone, etc. If you have to send the password to them electronically, do you have the infrastructure to encrypt it for them?

For these reasons, it's always better if you can somehow flag the account for "password reset" (depending on which software you use) and let the user type in their own password the next time they log in. So if any of the client software that your users use is Active Directory aware, and has the ability to perform a Password Reset, then this would be preferable to having an admin type a new password.

Improve this answer
6
  • Yes, absolutely correct! But it requires some additional password management use cases like change password upon the first login etc. Question if typing a new password is enough or admin better to provide additional information like a user email (to prevent hacker attacks)
    – Michael
    Commented May 26, 2015 at 14:38
  • @Michael I don't understand the question. Could you try saying it differently?
    – Mike Ounsworth
    Commented May 26, 2015 at 14:49
  • Is it secure enough to do it as Active Directory only to type twice a new password? I wanted to create a dialog with 3 fields: user email, new password and retype new password. Is it better to prevent attacks?
    – Michael
    Commented May 26, 2015 at 15:03
  • 2
    @Michael Umm, if the user is typing their information into your dialog, then that's better than the admin making a password and telling them. But "does it prevent attacks"? That is a much larger question since there are many many many types of possible attacks, which is why large companies are willing to pay millions of dollars to security experts.
    – Mike Ounsworth
    Commented May 26, 2015 at 15:09
  • 1
    @Michael Ok, then we're back to the problem of "how does the admin tell the new password to the user?" How secure is that process?
    – Mike Ounsworth
    Commented May 26, 2015 at 15:30

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .