Password Reset
A procedure for securely resetting user passwords when they are forgotten, expired, or compromised, ensuring identity verification and account security.
Purpose
To provide a secure and efficient process for resetting user passwords that verifies the identity of the requester and maintains the security of user accounts and organisational data.
Scope
Covers all password reset requests for organisational systems including network accounts, email, business applications, and any other protected systems.
Prerequisites
- Identity verification procedures for password reset requests
- Access to identity management and account administration tools
- Defined password complexity and expiration policies
Step-by-Step Procedure
Receive Password Reset Request
Accept the password reset request from the user through an approved channel such as the service desk, self-service portal, or in-person visit.
- 1.1Receive the request via phone, email, self-service portal, or in person
- 1.2Record the request in the service desk system
- 1.3Note the system or application for which the reset is needed
Verify User Identity
Confirm the identity of the person requesting the password reset using the approved verification method to prevent unauthorised access.
- 2.1Ask the user the defined security verification questions
- 2.2Verify the user identity against their HR record or employee ID
- 2.3For high-security systems, require additional verification such as manager confirmation
- Never reset a password without completing identity verification, even for known colleagues
Reset the Password
Generate a temporary password and reset the account credentials in the identity management system.
- 3.1Generate a temporary password that meets the password complexity policy
- 3.2Reset the account password in the identity management system
- 3.3Set the account to require a password change at next login
Deliver Temporary Password Securely
Provide the temporary password to the user through a secure delivery method.
- 4.1Communicate the temporary password verbally, by secure message, or in person
- 4.2Instruct the user to change the password immediately upon login
- 4.3Remind the user of password complexity requirements
- Never send temporary passwords via unencrypted email or text message
Verify Login and Close Request
Confirm that the user has successfully logged in with the new credentials and close the service desk ticket.
- 5.1Ask the user to confirm successful login
- 5.2Verify the user has changed the temporary password
- 5.3Close the service desk ticket with resolution details
Investigate if Compromise is Suspected
If the password reset is due to suspected compromise, escalate to the security team for investigation.
- 6.1If the user reports suspicious activity, escalate to the IT security team
- 6.2Review account activity logs for signs of unauthorised access
- 6.3Implement additional security measures such as account monitoring if needed
Quality Checkpoints
Common Mistakes to Avoid
Expected Outcomes
Average time from request to confirmed user login, measuring service desk efficiency.
Percentage of password resets where identity verification was completed and documented.
Frequently Asked Questions
Can I reset my own password?
If a self-service password reset portal is available and you have registered your security questions or multi-factor authentication, you can reset your own password. Otherwise, contact the IT service desk.
How often should I change my password?
Follow the organisation password policy, which typically requires password changes every 60 to 90 days. You should also change your password immediately if you suspect it has been compromised.
What if I cannot pass the identity verification?
If you cannot pass the standard identity verification, you may be asked to verify your identity in person with photo identification. This protects your account from unauthorised access.
Want this customised for YOUR business?
We'll tailor every step to your exact operations, tools, and team structure.