When Does the “Nuclear Option” of Passwords Make Sense?

Sometimes organizations make a drastic decision to change everyone’s password at once.This action is like pressing the button to launch the nuclear missiles. It is always a last option, but it can be a good way to make sure you network is safe and stop a possible data breach.

Here are some examples of when that may be a viable option:

1. An administrator or technical person has left your organization on bad terms, and has knowledge of user passwords
2. A security breach has been discovered at the organization
3. Users or customers notify your organization of unusual activity with their accounts
4. You observe malware or botnet infestation at your organization
5. Passwords have never been changed or have not been changed in over 90 days

The consequence of changing everyone’s password is not an easy decision to make and will cause users and customers to ask your organization for a reason why this happened.Be honest and let them know you made the decision with their best interests in mind.Protecting the organization’s intellectual property, users and customers information is your top priority.This decision will cause extra work for a few weeks because users will forget their new passwords and will be locked out their accounts, causing administrators to unlock or rest account passwords.

I have had to make this decision once at a very large institution of over 2000 internal users after a disgruntled administrator left the company with knowledge of executive passwords. I found out that the executives were not adhering to our password change policy … every time they were required to change their passwords they called this particular administrator to manually set the password back to the original.

This decision killed two birds with one stone. By getting rid of the bad employee and forcing the password change, it cause the organization to become more secure.Executives could no longer get away with keeping their same passwords and the disgruntled employee did not have a way back into the network to do harm.

Monitoring systems would have a difficult time catching administrators who are manually resetting passwords back to the original password.Active Directory and other directory services can remember previous passwords in the system. We had that option enabled in our organization as well.Our Active Directory System stores the previous six passwords. But the administrator would keep changing the password until he could but use the original password again.

A way to detect this violation of company policy or compliance mandates is to look and see how often a password was reset on an account.If the account was reset more than the number of stored previous passwords in a short period of time, then most likely this type of behavior is occurring.

AccelOps can easily detect these types of behaviors and help your organization become and stay safe, secure and compliant. If you would like to learn more about AccelOps please contact us for a demo or a 30-day trial of our software.