Having a sound password policy is fundamental to corporate security. Andy Kemshall, Technical Director of SecurEnvoy, explains how the two factor authentication (2FA) industry can help to make password resets even more secure.

Does your company have an adequate password policy? A quick Google search for the phrase ‘password hacking’ pulls up 32.5 million results, but taking a look at the huge number of password cracking applications reveals why it’s vital that your organisation regularly resets user passwords and enforces a strong password syntax.

The ‘performance’ of password cracking applications varies, with many able to attempt between 50,000 and 4 million passwords per second, so a password cracking application could take just 15 minutes to crack a five-character password that uses upper case, lower case and number characters. Compare this to the seven years it would take to crack an eight-character password using the same syntax and nearly 27,000 years to find a 10-character password.

Brute force

To further increase the strength of a password, organisations are advised to regularly reset user passwords. Some companies reset after 30, 60, or 90 days, but even quarterly resets can result in users forgetting their passwords. Users may try to alternate their favourite passwords so it’s also important to use a history list that tracks previous passwords.

Traditional password reset security questions rely on static answers, such as a mother’s maiden name or employee number, but this method would fail a security audit because the information doesn’t change, it would fail history list checks and can be easily obtained by a hacker.

So, if you’re a responsible CIO or IT supervisor that has implemented a password policy as part of your total security mandate, then you will inevitably face problems resetting passwords - especially for remote users who rarely visit the office. They are out on the move, and when it comes to resetting their password, they will need to be physically in the office to be able to change their password as they need to login to their laptop in order to start their VPN connection.

This creates a catch-22 situation as they cannot reset their password until they are connected to the office. In the past, the only viable option was to allow their passwords to remain static, but again, this is not recommended and would lead to a security audit failure.

A question of identity

Two factor authentication (2FA) adds an additional layer of security to the process by requiring a separate passcode in addition to a PIN or other secret information to be entered when the user is resetting their password. With hackers becoming increasingly determined and ever more effective, it pays to add the extra level of security provided by 2FA.

Password fail

Business information providers, IDC and Meta Group, have estimated the average cost of resetting a password to be between £14 and £23 per user. If we estimate that each user is resetting their password on at least three occasions every year, then a company with 1000 users is potentially spending £60,000 per annum on password resets alone.

One way to reduce or even remove this cost is to use a key fob that each user carries with them in order to validate their reset attempt, but, as we shall see, physical key fobs or tokens have significant caveats.

Traditionally, each user would carry a token with them at all times in order to generate their new passcode. This works, insofar as it is a reliable method of creating a new passcode, but the tokens themselves are a burden for users and IT departments: they are easily lost or broken and are expensive to replace.

Physical tokens are still in use, but a question mark hangs over the practicality and cost-effectiveness of these devices. Using other techniques such as sending SMS messages to user’s phones instead eliminates the need for physical tokens or fobs.


Using a two factor authentication system that doesn’t rely on physical tokens and instead uses SMS to deliver passcodes can reduce password reset costs by as much as 95 per cent, and at least 80 per cent in most cases.

Your company’s IT department will no longer need to spend time resetting a user’s password’s manually, and both IT and HR staff will save time on dealing with remote and mobile user resets, but most importantly, users themselves will be able to continue with their work uninterrupted.

Two factor authentication password resets have until now been conducted through a secure website portal. When they were required to reset, the user would require a separate machine or a smart phone to access the website, use the passcode they received on their mobile phone and follow the steps to reset their password.

Although this might only happen every few months (depending on the organisation’s security policy), it was an obvious inconvenience that users required a separate machine (or alternative login) just to reset their password.

Password reset solutions need to be, as their name suggests, solutions and not merely additional problems. Therefore, the reset process must be efficient for users, with full integration into a user’s desktop operating system, for example by adding a password reset option at the Windows login screen.

This way, users will be able to quickly and conveniently reset their password (using their SMS passcodes) from within the operating environment, making authentication a seamless ally, rather than a cumbersome afterthought.

There’s no denying the threat of cybercrime is constant, and often measures that attempt to protect your data can be awkward and inconvenient at times. So if your company can improve its password security while making cost savings, then there’s even more reason to look into lean authentication and token less two-factor solutions.