Password Management

Overview

Password management in an enterprise context encompasses self-service password reset (SSPR), password synchronization across systems, password policy enforcement, and increasingly, the transition toward passwordless authentication. Despite years of predictions about the death of passwords, they remain the dominant authentication factor in most organizations.

The business case for password management is straightforward: password resets are one of the highest-volume help desk tickets, and locked-out users can't work. Self-service capabilities reduce costs and improve productivity. But there's a security dimension too—password reset is a high-risk operation that attackers exploit through social engineering, so the verification process matters as much as the convenience.

The strategic direction is clear: reduce password reliance through MFA and passwordless. But in the meantime, passwords need to be managed securely and efficiently.

Key Decisions

Decision	Options	Recommendation	Notes / Gotchas
What is the SSPR verification method?	Security questions, email OTP, SMS OTP, authenticator app, manager approval	Authenticator app or FIDO2 for primary; avoid security questions (too weak)	SMS has SIM-swap risk; security questions are guessable.
What is the password policy?	Length-only, complexity, breach-check, passphrase	Minimum 12 chars + breach database check; avoid forced complexity and rotation	NIST 800-63B recommends length over complexity; forced rotation causes weak patterns.
Should passwords synchronize across systems?	Yes (single password everywhere), no (unique per system), selective	Selective sync (directory password syncs; application-specific stays separate)	Full sync amplifies breach impact; no sync creates user friction.
How do you handle initial passwords?	Temporary password, self-enrollment link, pre-set by admin	Self-enrollment link (user sets their own; no shared secret)	Temporary passwords get reused, shared, or never changed.
What about privileged account passwords?	Same process, separate process, PAM vaulting	PAM vaulting for privileged; standard SSPR for user accounts	Privileged accounts need checkout/check-in, rotation, and session recording.
What is the passwordless strategy?	None, pilot for IT, broad rollout, full replacement	Pilot with IT/tech-savvy groups, expand based on device/infrastructure readiness	Passwordless needs device enrollment, fallback processes, and user education.

Architecture & Reference Patterns

Pattern 1: Self-service password reset (SSPR) with MFA verification

User initiates reset from login page or portal.
User verifies identity via enrolled second factor (authenticator app, FIDO2 key, push notification).
User sets new password (policy validated in real-time).
Password is synchronized to connected systems.
User can immediately log in.

Critical: SSPR verification must be at least as strong as login authentication. Weak SSPR is a bypass.

Pattern 2: Password synchronization architecture

Source of truth: Primary directory (AD/Entra ID) holds the canonical password hash.
Sync agents: Push password changes to connected applications (on-prem, SaaS).
Direction: Usually unidirectional (directory → apps); bidirectional is rare and complex.
Scope: Sync only where single password improves UX without unacceptable risk.

Pattern 3: Breach detection and blocking

Integrate with compromised credential databases:

At password set/change, check against known breached passwords (Have I Been Pwned API, vendor services).
Block passwords found in breach databases.
Optionally, periodically check existing password hashes against new breach data.
Alert users whose credentials appear in breaches.

Pattern 4: Passwordless authentication

Replace passwords with stronger, phishing-resistant factors:

FIDO2/WebAuthn: Hardware security keys or platform authenticators (Windows Hello, Touch ID).
Certificate-based: Smart cards or derived credentials.
Push-to-approve: Mobile app approval (less phishing-resistant but convenient).

Passwordless requires enrollment, device management, fallback procedures, and application compatibility.

Pattern 5: Emergency and help desk reset

When SSPR fails (user lost all factors):

User contacts help desk.
Help desk verifies identity through out-of-band channel (manager confirmation, video call, in-person).
Help desk triggers temporary access or factor re-enrollment.
Audit trail captures the exception.

This process is high-risk for social engineering—verification must be rigorous.

Implementation / Rollout

Phase 0: Discovery

Inputs: Current password policies, SSPR capabilities (if any), help desk ticket volume for password resets, breach history, MFA adoption rate, passwordless readiness.

Outputs: Password reset volume and cost analysis, current verification methods assessment, password policy gap analysis, MFA/passwordless roadmap dependencies.

Phase 1: Design

Outputs:

Updated password policy (length, complexity, rotation, breach check).
SSPR workflow with MFA verification requirements.
Password synchronization architecture and scope.
Help desk verification procedures.
Passwordless pilot plan.

Phase 2: Build & Integrate

Outputs:

SSPR portal deployment with MFA integration.
Password policy enforcement at change/reset points.
Breach database integration.
Sync agents for target applications.
Monitoring and alerting for sync failures.

Phase 3: Rollout

Recommended sequence: Deploy SSPR with MFA verification; communicate and train users; monitor adoption; reduce help desk password resets; pilot passwordless with IT.

Guardrails: Help desk fallback process ready before disabling old methods; monitor for social engineering attempts; track SSPR success rates.

Phase 4: Operate

Monitor SSPR usage and success rates.
Track help desk password reset tickets (should decline).
Review locked-out accounts and failed sync attempts.
Expand passwordless based on pilot results.
Periodic password policy review against current guidance.

Risks & Failure Modes

Risk	Likelihood	Impact	Early Signals	Mitigation
SSPR becomes attack vector (social engineering, weak verification)	M	H	Unauthorized resets, account takeover incidents	Strong verification (MFA), audit logging, anomaly detection
Password sync failures leave accounts locked out	M	M	User complaints, sync error logs, inconsistent access	Monitoring, retry logic, sync health dashboards
Breach exposure (passwords found in breach databases)	M	H	Breach database matches, credential stuffing attacks	Proactive breach checking, forced reset on match, monitoring
User friction from complex policies	M	L	Complaints, workarounds (writing passwords down), weak patterns	Balance security with usability; follow NIST guidance (length over complexity)
Help desk social engineering	M	H	Unauthorized resets, account takeover	Rigorous verification procedures, callback verification, manager confirmation

Workshop Questions

Security / IAM

What is the current password policy, and does it align with NIST 800-63B guidance?
What verification methods are acceptable for SSPR (MFA factors, out-of-band)?
What is the strategy for passwordless adoption, and what are the prerequisites?

Operations / Helpdesk

What is the current volume and cost of password reset tickets?
What verification procedures does help desk use for identity confirmation?
What fallback exists when SSPR fails (user lost all factors)?

Users / HR

What user education is needed for SSPR enrollment and usage?
What accommodations are needed for users without smartphones or unable to use certain factors?
How are initial passwords communicated to new hires?

Compliance / Legal

What password policies are required by regulations (PCI-DSS, HIPAA, etc.)?
What logging and evidence is required for password changes and resets?
Are there data residency concerns with cloud-based SSPR or breach checking?

Requirements Gathering Checklist

[Security / IAM] What is the password policy (length, complexity, rotation, breach check)?
[Security / IAM] What verification methods are required for SSPR?
[Security / IAM] What is the passwordless strategy and timeline?
[Security / IAM] What privileged accounts need separate password management (PAM)?
[Operations] What is the current help desk ticket volume for password resets?
[Operations] What help desk verification procedures are required for escalated resets?
[Operations] What monitoring is needed for password sync health?
[Users] What SSPR enrollment and user education is required?
[Users] What accommodations exist for users without smartphones?
[Compliance] What password policies are required by regulation (PCI, HIPAA)?
[Compliance] What logging is required for password changes and resets?

References

NIST SP 800-63B (Digital Identity Guidelines—Authentication and Lifecycle Management)
CIS Controls v8, Control 5 (Account Management—password policies)
PCI-DSS v4.0 Requirement 8 (Identify users and authenticate access)
FIDO Alliance / W3C WebAuthn specification (Passwordless authentication)
Have I Been Pwned API (Breach database checking)
Microsoft Security Guidance on Password Policy
OWASP Authentication Cheat Sheet