Password reset best practices for helpdesk

According to research from Forrester, a significant percentage of calls to the helpdesk are relating to password problems, with each password reset costing an average of $70 to carry out. Implementing a self-service password reset solution is a great way to combat this problem, allowing users to change expired or forgotten passwords themselves without needing to involve the helpdesk.

Still, even with a self-service solution involved, this won’t eliminate helpdesk calls altogether. The IT helpdesk still plays a key role in enrolling and guiding users, and it’s vital for staff to follow password reset best practices to minimize security risks and reduce support ticket volume.

This guide outlines practical tips and security measures to enable helpdesk teams and IT administrators to handle password reset requests securely and efficiently, reducing password-related calls.

Why password reset best practices matter

Password resets are one of the most common helpdesk support requests in any organization — and also one of the most frequently targeted by attackers. When handled poorly, the password reset process becomes a major security vulnerability. Cybercriminals often exploit weak or inconsistent reset procedures to gain unauthorized access to user accounts through social engineering tactics like phishing or impersonation. Without clear protocols and strong authentication measures in place, the reset process can quickly become a gateway for data breaches, identity theft, and compliance violations.

Beyond securing the service desk, password reset best practices also play a key role in improving user experience and reducing workloads. When users have access to a reliable and intuitive self-service reset system, they’re less likely to contact IT support for routine password issues. This not only saves time and operational costs, but also means IT teams can focus on higher-priority tasks.

Overall, adhering to password reset best practices helps to:

• Reduce password-related helpdesk calls
• Protect user identities and sensitive data
• Improve user experience with self-service capabilities
• Prevent unauthorized account access

5 password reset best practices to follow

1. Educate users and direct to self-service

Password-related helpdesk calls are not only costly, but also drain IT resources that can be better spent on more pressing issues. Empowering users is the first step in minimizing dependency on the helpdesk. So once a self-service password reset solution is in place (like Specops uReset) is in place, encourage users to use it rather than rely on IT for password assistance.

Some best practices to follow include:

• Provide a detailed onboarding guide for new users that walks them through the enrollment and password reset process
• Share FAQs and video walkthroughs
• Clearly communicate the benefits of the solution (e.g. 24/7 availability, multi-device support, maximum security and privacy)
• Periodically remind employees about the tool via internal communications

2. Implement strong user identity verification

The helpdesk is a popular target for cybercriminals, and attackers are increasingly leveraging advanced social engineering tactics to exploit this vulnerability. Traditional methods, like impersonation via phone or email, have evolved into more sophisticated techniques like AI vishing (voice phishing), where attackers use synthetic speech and deepfake audio to convincingly mimic users. These methods can easily bypass weak verification processes, especially those relying on static security questions or minimal identity checks.

To mitigate these threats, it’s vital to implement robust identity verification protocols. Specops uReset empowers helpdesk staff to securely verify a user’s identity using any of their enrolled authentication methods, including 20+ identity service providers. Additionally, one-time codes can be sent via SMS to the mobile number registered to the user’s account, ensuring that only the legitimate account holder can proceed.

For high-risk or privileged accounts, the helpdesk can enforce multi-layered authentication, combining several identity services to provide an added layer of protection. This approach significantly reduces the risk of user impersonation, even against AI-driven attacks.

3. Issue unique temporary passwords

Once a user has been verified, the helpdesk can set a new password for the user. At this stage, it’s critical to take steps to make sure this temporary password is shared securely. Here are some best practices to follow when issuing a temporary password:

• Make sure each temporary password is completely unique
• Never use a default or easily guessable password (like username variations)
• Set temporary passwords that require users to reset them at next login
• Avoid storing or sharing passwords via email or plain text
• Encourage password policies that promote length and complexity

4. Monitor password reset activity

Monitoring individual password reset activity is a key part of maintaining a secure and effective password management process. Reviewing detailed user-level statistics allows helpdesk staff to understand how each person is interacting with the self-service reset system. This includes how frequently users reset their passwords, whether they are completing the process successfully, and whether they are relying on the helpdesk instead of the self-service option.

An excessive amount of password resets may point to the need for additional support or education. This might involve reinforcing the benefits of the self-service tool, offering clearer guidance, and following up directly with individuals who appear to be having trouble. Over time, this level of monitoring not only helps users become more self-sufficient, but also reduces the workload on the helpdesk and improves overall system security.

5. Provide training and support for helpdesk staff

Typically, when organizations evaluate self-service password reset solutions, the primary focus is on user adoption, making sure employees enroll in the system and begin using it effectively. The helpdesk is often overlooked, even though they play a critical role in educating users and strengthening security.

Don’t forget the role of help desk identity verification and give them the features they need to follow these best practices. This includes secure verification methods, access to user reset histories, and clear protocols to follow. When properly empowered, the helpdesk becomes a key asset in maintaining a secure and efficient password reset process.

Bad password reset practices to avoid

1. Emailing passwords in plain text

Far too often, when a user selects the ‘forgotten password’ option while attempting to login, their old password will be delivered to their email inbox. There are two key issues with this:

1. The password is retrievable, which means it’s either being stored in the site’s database as plaintext, or encrypted with a reversible algorithm
2. The password is sent without encryption, meaning hackers could easily intercept it

What make matters worse is that users are likely to reuse the same passwords and usernames on other websites or systems, which opens doors for many other attacks. This bad password practice poses a security threat because it leaves customers’ personal details vulnerable to leaks.

2. Emailing password reset links

Not every system makes the mistake of sending forgotten passwords via email. However, many will send a password reset link via email. This means that anyone who gains access to these emails can easily reset the password, granting them access to the account.

Once an email is obtained from one source, hackers can easily reuse it to request password resets on other accounts that contain highly sensitive personal information such as financial details.

3. Authenticate using secret questions that are not secrets

Secret questions, or challenge questions, are one of the most common authentication methods. Users can unlock their accounts by answering simple questions such as “What was the first car you owned?”, “What is your mother’s maiden name?” or “What was the name of your first pet?”

The problem with secret questions is that they aren’t really secrets. Secret questions often relate to life experiences that are easily memorable, making them highly susceptible to social engineering. It’s not hard to have a conversation with a person about aspects of their life that could constitute the secret questions without raising any suspicion at all.

Rather than relying on ‘secret’ questions, organizations should implement strong multi-factor authentication (MFA) that verifies user identity through multiple, independent factors. The CJIS Security Policy recommends that MFA should include two of the following three factors:

• Something you know: Passwords, security codes, or personal identification numbers.
• Something you have: Physical authenticators such as USBs, access cards, or mobile devices.
• Something you are: Biometric identifiers such as facial recognition, iris scans, or fingerprints.

Specops uReset offers flexible multi-factor authentication with over 20 identity services, ranging from popular SaaS identities to higher trust phone-as-a-token options. You can decide how many and which identity services are needed for authentication before performing a password reset.

Reduce helpdesk burden with Specops uReset

Specops uReset lets your end users easily and securely reset their own passwords, reducing the time and cost burden on service desks and IT teams by taking away the headache of managing endless password recoveries.

Interested to learn more about how Specops uReset could help streamline your service desk and protect end users’ accounts? Contact us today for a demo or free trial.