Today, organizations need to pay attention to their cybersecurity posture, including policies, procedures, and technical solutions for cybersecurity challenges.
This often results in a greater burden on IT service desk personnel as end users experience issues with security software, policies, and password restrictions.
One of the most common areas where security can pose problems for end users is password policies and password changes. What are these issues? How can organizations reduce end user frustration when changing passwords? First, consider the standard password policy, its role, and general settings affecting end users.
What are the password policies?
Most organizations today have a password policy in place. So what is a password policy? Password policies define the types and content of passwords allowed or required of end users in an identity and access management system. Various aspects of the password that businesses control may include required password length, composition (requiring certain characters), password age, and prohibition on reusing previously used passwords.
Microsoft’s Active Directory Domain Services are arguably the most popular identity and access management system for on-premises environments today. Active Directory password policies allow organizations to control the basic characteristics of end user passwords with configurable password settings.
These parameters include:
- Apply password history
- Maximum password age
- Minimum password age
- Minimum password length
- Minimum password length audit
- Password must meet complexity requirements
- Store passwords using reversible encryption
|Configuring Active Directory Password Policy|
Active Directory password policies are enforced as part of Microsoft Active Directory Domain Services Group Policy. Group policies can apply to a specific organizational unit in Active Directory and can be filtered to apply to a particular user, group, or computer.
How password changes cause frustration for end users
While password policies are dramatically crucial to your organization’s overall cybersecurity posture, they can certainly place an increased load on the IT help desk. The service desk deals with most of the issues related to password changes and account lockouts. Often, frustration occurs when end users change their passwords as a result of the password policy being applied.
Many organizations choose to implement password policies that define password aging as part of policy enforcement. Password aging forces end users to change passwords when the password age reaches the days configured in the policy.
End users who need to change their passwords may enter their password incorrectly when changing the password. This can cause the account to be locked out when they attempt to enter the password they “think” is correct. In addition, end users may have difficulty simply setting their password. They may not fully understand the password policy requirements.
This ultimately leads to employees who cannot log on; which means they are unable to be productive. In addition to being a costly problem for this department (lost work); this also has an impact on the service center.
Frustration of Password Change – Costly for Your Business
Of all the problems that service desk agents sort through, changing the end-user password can be one of the longest and most costly for the business. According to Gartner Group, between 20% and 50% of all service desk calls are about password resets, while Forrester Research states that the average help desk labor cost for a single password reset is around $ 70.
In addition to service desk labor costs, business continuity can be affected if a key user is locked out of their account or experiences application issues due to a changed password.
This situation may represent less tangible costs associated with a password change. Additionally, if end users are affected by a password change, it can impact customers.
Reduce end-user frustration when changing password
Businesses cannot simply ignore security best practices just for the convenience of end users, regardless of the age of the user calling the service desk. However, there are tools that can help reduce the end user password change frustration caused by not having a clear message as to why the password is rejected.
In addition to providing a much more robust solution than the simplistic Active Directory password policy settings found natively in ADDS, Specops Password Policy is a tool that can provide this capability to reduce end user frustration when changing password.
It includes the following two components that work together to provide much greater transparency to the end user of password requirements and any upcoming password changes required. These include:
- Configuring customer messages
- Specops Authentication Client
In the Specops password policy, IT administrators can configure the Client message to customize user comments when password change attempts fail. The Specops password policy can be configured to provide dynamic feedback to end users, using the following settings:
- Show all rules
- Show only failed rules
- Show only personalized messages
|Configuring the client message in the Specops password policy|
The Specops Authentication Client Tool works with the setting configured above to allow Specops to display password policy rules when a user does not meet the policy criteria when changing their password. past. Customer will also notify users when their passwords are about to expire.
The standard “change password” screen in Windows can be a real source of frustration for the end user. Without any indication of a password policy, history of previous passwords, or dictionaries, a user often turns to the service desk for help.
|The standard Windows password change user experience|
When users have visibility into the specific reason why the password they are trying to change fails, it can help the end user better understand password policy requirements and align passwords. that they use with company policy. Specops password policy recently implemented a dynamic rollback when changing password.
|Dynamic feedback when changing password for end users of Specops password policy|
This capability also helps ease the burden on the IT help desk when end users can better understand what is required of their corporate password. Better understanding of the rules not only reduces end-user frustration, but also minimizes costly IT help desk calls.
Security and password policies are necessary to maintain an effective cybersecurity posture for organizations today. However, password policies and forced account password changes can place additional strain on the IT help desk as help desk agents sort out and resolve account password issues. in the environment. Reducing end-user frustration with password changes can be facilitated by effective dynamic feedback from the source of your password policy.
Natively, Windows displays a very vague message about why a particular password is not allowed by a password policy. Specops’s password policy corrects this shortcoming by allowing organizations to implement dynamic comments that are customizable for the end user.
For example, when they try to set a password that does not meet all the requirements configured in the password policy, it provides much more detail as to why the set password operation failed if it fails.