Administrative Password Management against Insider Threats
Insider Threat! Who? Where? When? How? 'It was unintentional' might say a user upon his account being compromised. The biggest insider threat being- users and their attitude! For sake of Top-Of-Mind recall, end users can ease their way, such as, 'reusing the security answer' when setting the security answers, setting up security answers is an important phase in password self-service; security answers are an alternate identification criteria which help end users reset their passwords. One user's laxity could lead to the security cordon falling like a pack of dominoes! Hackers, managing to guess a username, will try brute-forcing the security answer, i.e., try out all possible combinations. Well, do not worry! This grave insider threat of 'unsophisticated security answers' is passe! It will NEVER happen in ADSelfService Plus: the self-password reset tool that secures Active Directory user passwords with numerous security measures.
Feel free to visit our R&D centre, where you can witness the evolution of ADSelfService Plus - a brainchild of ManageEngine - set at a revolutionary pace. Numerically our technical powerhouse has over a decade of 'Enterprise Password Management' experience, but, is technically way ahead in potential, constantly setting industry trends, gaining domain user insight through customer feedback. Stringent product 'trial and error' is undertaken before a new build is announced.
Allow us to reassure you, how you can cease the inside threats, from users oversight, so you ensure a 'Quality Administrative Password Management' by letting users configure stronger passwords.
Strengthening Security Answers
Prevent a user from providing the same answer to multiple questions
Why do users replicate their SECURITY answers knowing -- when the uncomplicated security Q&A is under a hacker's scrutiny -- would weaken the indestructible security forces? One of the many unanswered questions! Check this option under advanced settings -> Q&A Settings and quadruple the possible permutations, when an unauthorized person/bot tries to gain access to the password self-service portal for a web-based password change or reset.
Prevent a user from using any word of a question in his answers
During enrollment, when users set the 'password self service' security Q&A, 'forgetting the password' may seem a far cry! So, some might treat enrollment frivolously thus pave way for unauthorized user verification. But fear not! By checking an option under advanced settings, you can prevent users from bypassing the compelling security Q&A with easy to remember passphrases.
Security questions One by One
Security questions during self service password reset/unlock account displayed all at once would make vulnerable the account for a definite attack! Depending on your security needs, choose if you want to display the questions all at once or one by one thus countering the vulnerability of user security questions being figured out by hackers.
Administer Users challenge-response actions
What if users end up choosing unsophisticated passphrases, which could be easily guessed? Well, do not worry! It will NEVER happen in ADSelfService Plus, because it has the ability to preclude users from constructing unsophisticated answers!
Besides, these settings, you can also educate users on how to build difficult-to-guess security answers. Offer suggestions such as the one given below:
Constructing a sophisticated and hard-to-guess security answer:
<A favorite catchphrase> <connector made out of special characters> <answer to security question>
For example, following this format, the answer to "What is your favorite holiday spot?" would be:
Beam me up Scotty&*Hawaii
(Where "Beam me up Scotty is user's favorite catchphrase, "&*" is a connector, and Hawaii is answer to the question. The favorite catchphrase and connector would stay the same for all security answers, only the answer differs. This defeats password guessing, bruteforcing, and dictionary attacks as well)
Culminating the prior points with more tips, so you ensure users create an uncompromising security Q&A profile for a Simple and secure AD self password reset:
All these force users to configure strong & complex passwords thus preventing unauthenticated access of ADSelfService Plus.