A 2019 study showed that more than 75% of people needed to reset some of their personal online passwords within 90 days.
For work passwords, the number was 57%.
The number of passwords handled by each individual has grown since then, and it can be safely assumed that a large number of people depend on the password recovery methods available to them to access their accounts.
Every service provider aims to create frictionless password reset methods.It is considered to be a vital part of the user experience design. Password reset methods that are too complex or take too much time and effort can discourage users from using a certain service.
Hence, a lot of online services rely on a one-step password recovery process – sending a password reset email to a user-provided email ID. But the simplest solution is not necessarily the best in this case.
In this post, we’ll take a look at 5 popular methods of password recovery and resetting, exploring the quality of security afforded by each method. We will also shed light on the ensuing risk of password recovery.
What is Password Recovery?
Password recovery is the process that allows a user to create a new password to access their account when they forget or lose their original password.
The password recovery method doesn’t need to be used only when a user forgets their password; the feature can also be used to periodically reset passwords.
2 Types of Password Recovery
Password recovery methods can be divided into two broad categories:
- Self-service password recovery
Self-service password recovery allows users to reset their passwords by themselves using methods such as SMS verification, resetting via email, or answering security questions.
This form of recovery is usually offered by social-media services, accessibility tools, entertainment services, and even some financial services.
- Administrative password recovery
This form of recovery involves IT support and requires permission from account admins. The user can’t change or reset the passwords on their own.
Administrative password recovery is common in workplaces. For instance, if an employee loses access to the company’s password vault, their account password would have to be reset by an admin..
5 Common password reset methods
- Resetting the password via email
A lot of services choose to send a reset password link to the user’s email address.
In these cases, when the user clicks on the forgot password button, they are asked to enter the email address, where they want to receive the reset password link. Once they click the reset link, they are asked to create and confirm a new password.
- Answering security questions
Some services ask the user to set a few security questions that would be used to verify their identity in case they lose their password.
Answering these security questions works as another method of password recovery. A security question can be like, “What was the name of your first pet?” or “What was the name of your first school?”
- SMS verification
For this password recovery method, after clicking the forgot password button, the user receives a verification code via SMS to their registered phone number.
They can use this code to access the password reset window. Voice calls can also be used for this type of code-based verification.
- Multi-factor authentication
In case an online account has MFA enabled, the service provider may allow an individual to use an authenticator app, a hardware token, or recovery codes to regain access to their account and reset the password.
- Account recovery through IT support
In some cases, users are not granted the authority to reset their passwords. They have to reset it via security or IT administrators.
Risks associated with password resetting
The growing number of credentials each individual is forced to handle on personal and professional fronts has increased the importance of password recovery. While the typical password reset methods are user-friendly, they are not as secure. Each method of self-service password recovery comes with its own security risks.
#Email accounts can be hacked.
If an individual’s email account is hacked, the hacker can virtually get into any account belonging to the individual that has an email-based password recovery process.
#Phone numbers can be hijacked.
If a user’s phone number is hijacked, the attacker can easily reset their passwords using SMS verification.
#Error messages are dangerous.
Some password recovery systems prompt the attempting individual to share their registered email address. If it happens to be a wrong or unregistered address, the system shows an error message. Error messages are easy for bad actors to determine whether an individual has an account with a service provider.
#Password returns in plain text.
Nothing is more alarming than a password recovery system that sends the original password back to a user via email when they try resetting it. It means that the server is storing as well as transmitting the password in plaintext, i.e. without any encryption.
A little discipline from the user’s end goes a long way in password security. Certain good practices can help you maintain better password health.
Remember: Choose your new password carefully and set strong password policies, as poor password habits can affect businesses and invite cyber threats that could cause huge losses.
The do’s and don’ts of password recovery and resetting
|Reset passwords periodically, especially for accounts you use to transmit sensitive information.||Use the same password twice or for more than one account.|
|Create passwords at least 12 characters long and feature numeric, alphabetic, and special characters.||Use your pet’s name, date of birth, or any information publicly available in the password.|
|Check password reset windows for signs of phishing.||Share passwords via any online medium.|
|Use a password manager to store and reset passwords.||Write it down in plaintext anywhere.|
Additionally, for a more in-depth understanding of password security, don’t miss our guide on Advanced Password Management Techniques.
Benefits of using a Password Manager
A well-rounded password manager like Uniqkey eliminates the need for creating, remembering, or manually storing complex passwords.
- The password manager can generate strong passwords.
- Store them with zero-knowledge technology behind military-grade AES-256 encryption.
- Fill out sign-in forms automatically and even auto-fill in 2FA information
- Provide role-based access to employees.
- Smoothly and securely manage onboarding and offboarding processes
- Protect all passwords with one master password.
Since the password manager assumes the responsibility of storing and filling in password information whenever users attempt to log into an account, it takes the password recovery process out of the equation and the risks accompanying it.
What Happens if a User Loses the Master Password?
The master password works as the decryption key for the password vault. And since it is saved using zero-knowledge technology, the password manager or its customer support team cannot access the user-generated master password.
Some password managers do offer ways to recover the vault without the master password, but these have to be set up beforehand.
Access through an emergency contact
If a user sets up an emergency contact while setting up the master password, it can be used to regain access to the account if they lose the master password. This is how it works:
- The user provides emergency contacts and sets up a time-out period at the time of installing the password manager.
- The user opts for the emergency access feature.
- The password manager sends an email with the installation/access link to the emergency contact.
- When the emergency contact tries to access the data, a confirmation request is sent to the original users.
- The user has to grant or deny access within the preset timeout period
- Once access is granted, the emergency contact can access the data
In the case of an enterprise account, there is usually an account administrator with the power to control, grant, and revoke access to the password vault for other users. Each user has a unique master password to exercise role-based access to the passwords.
If a user loses their master password, the administrator can delete the account and create a new one for the said user.
Password recovery is an essential process, but it is equally risky.
It involves the risk of exposure through phishing, interception, and hijacking. The best way forward is to use a password manager that stores all passwords and completely removes the forgot password button from the equation.
While we’ve discussed various password recovery Mmthods, ensuring we have a robust defence against potential breaches is equally crucial. To ensure your business is fully protected, you may want to check out our comprehensive Password Checklist.