The average person is locked out of ten online accounts per month due to a forgotten password. Password resets provide a solution; however, 57% of people claim that they will forget the new password immediately after the reset.

A user strugglers with self-service password resets (SSPR)

What is a Self-service Password Reset?

Password resets or “forgot your password” tools are common features for online accounts.  These services are designed to allow users to reset a forgotten password.
A standard password reset flow includes the following steps:

  1. User clicks a “Forgot Your Password Link” on the login page
  2. User provides the email address of the associated account
  3. Password reset email is sent to the user with a password reset link
  4. Clicking the link takes the user to a page where they can set a new password
  5. User finally gains access to their account

Self-service password reset (SSPR) is defined as any automated process or technology that allows users to reset their own password. Self-service password resets are intended to reduce the burden on IT and customer support staff.  If a user can reset their own password without help, this dramatically reduces the number of trouble tickets and customer support calls that IT staff need to handle.  However, this doesn’t mean that the process is fast, easy, or painless for the user.

Password-Based Authentication Makes Password Resets Necessary

Passwords are the most common authentication mechanism in use today. Almost every online site and application requires users to enter a password to gain access to their account.

Password-based authentication is an example of a knowledge-based authentication mechanism. The assumption is that only a legitimate user knows the secret password or passphrase, so proving knowledge of the secret authenticates the user.

One of the biggest problems with password-based authentication is that people can forget their passwords. The average person has 100 online accounts requiring a password. If they’re following password security best practices, each of these accounts should have a unique, random password. If a user isn’t relying on a password manager, this means that the user is likely reusing weak passwords or at serious risk of forgetting one.

In either case, the potential exists for a legitimate user to forget their password for an online account. Companies need to account for this, so password-based authentication makes password resets (self-service or otherwise) necessary.

What are the Problems with Password Resets?

Password resets enable users to regain access to their accounts if they have forgotten their password. While this is a good thing, password resets also have their downsides, including:

  • Compromised Email Accounts: Password reset emails make email a single point of failure for a user’s cybersecurity. If an attacker has access to a user’s email account, they can have password reset emails generated for all of the user’s other accounts, changing their passwords to one known to the attacker. This means that a compromised email account compromises the security of all other online accounts.
  • Weak New Passwords: Often, when resetting a password, a user is just trying to get into their account. This fact, combined with the password fatigue created by the number of accounts owned by the average user, often causes them to choose a weak password to ensure that they will be able to remember it next time. As a result, their account becomes less secure.
  • Multi-User Email Accounts: Password reset emails assume that an email account is owned and used by a single person. However, families and teams may have shared email accounts. This means that a child or a team member may gain unauthorized access to an online account by sending a password reset email to a shared account.
  • Phishing Attacks: Password reset emails are intended to bypass the normal authentication process, ideally to fix an issue (a forgotten password). Cybercriminals can use password reset emails in phishing attacks. For example, a phishing email may pretend to be a password reset email to trick a user into providing their real password, or a phisher may trigger a password reset and ask for the associated code or link as part of a phishing attack.
  • User Experience: Regaining access to an online account via password resets can be a time-consuming and frustrating process. Users have to trigger the email, wait for it to arrive, and click through prompts and make up a new password. While this may be essential to regaining access to a password-protected online system, it isn’t a pleasant experience.
  • Cost: According to Gartner, an estimated 20-50% of IT help desk calls are from users requesting a password reset. Forrester estimates that each of these requests costs a company an average of $70, which adds up quickly.

Password resets are an imperfect solution to a common problem.  However, as long as an application uses password-based authentication, they are a necessary feature.

multiple error messages saying login attempt failed

How To Eliminate Password Resets

The problem with password-based authentication is that it is a knowledge-based or “something you know” authentication factor. Anything that you know, you can forget, and forgetting a password makes password resets necessary.
However, knowledge-based factors are not the only option for user authentication. Authentication systems can use two other types of factors:

  • Something You Have (Possession): Possession-based authentication uses a physical object to prove identity, like a key provides access to a house. Common examples of possession-based factors are smartcards, smartphone authentication apps, and physical tokens like Yubikeys.
  • Something You Are (Inherence): Inherence-based factors use unique physical attributes for authentication. Common examples are fingerprint scanners and facial recognition.

Passwordless authentication uses one of these other features to authenticate users.  For example, Android and Apple have made it possible for users to sign into their smartphone using a fingerprint scanner rather than a PIN, password, or pattern.

Passwordless authentication enables an application to eliminate the need for password resets.  With authentication based on a fingerprint or possession of a device, there is no risk that a user will forget a password and need to regain access via a password reset email.

A self-service password reset enables a user to reset their password without help from IT staff. Often, this involves sending a password reset link to the user’s account.

If you aren’t initiating a password reset, it may indicate an attempt by someone else to gain access to your account. Anyone can initiate a password reset, but only someone with access to the email account where the reset email is sent can actually change the password.

The length of time that a password reset lasts depends on the service. Most password resets are good for less than half an hour to limit the potential for abuse.

Password resets should be designed to provide users with a secure but user-friendly means of resetting their passwords. However, a better approach is to use passwordless authentication that makes password resets unnecessary.

Passwords should be long, unique, and randomly generated. For password-based authentication systems, a password manager is a good way to generate and store secure passwords.

Password reset poisoning attacks intercept password reset requests and modify them so that the links contained within a legitimate password reset email point to an attacker-controlled site. This allows an attacker to steal the unique password reset token and use it to change the user’s password.

Learn More About Transmit Security