So, you need to reset thousands of passwords…

When ransomware signs are spotted—perhaps your endpoint-detection just found the credential-gathering exploit Mimikatz—it might be time to draft that company-wide memo and get everybody ready for a password reset.

The Los Angeles Unified School District (LAUSD) knows the drill. Following a September ransomware attack, the LAUSD called for (thousands of) students and employees to change their credentials—in person.

Password-reset options have advantages and disadvantages (like, say, long lines at the school). Organizations can benefit from considering the choices in advance, to avoid the complicated problem of users—and services—shut out until new passwords are added.

“There’s the IT side of having to deal with all the services and systems that now need to have the passwords changed within them. And then there’s the user side of just, ‘How the heck do I get back into the environment?’” said Ryan Chapman, principal incident response consultant with BlackBerry.

Here’s a quick review of some common password reset options.

In-person. The LAUSD’s in-person option is perhaps a more secure choice, given that identity can be literally seen and ascertained. A drawback: it’s going to take a while.

“The detriment to resetting all the credentials is that you’re resetting all the credentials,” said Chapman.

The conservative approach, however, often halts the race between hacker and end-user—a sprint that remote resets sometimes present:

“If the attacker already has the credentials, they can basically beat that user to resetting the password to something that they would know,” said Jason Rebholz, CISO at the insurance provider Corvus.

Self-service. A perhaps faster way to get thousands re-authenticated: self-service options like Azure Active Directory self-service password reset or ADSelfService Plus.

The benefit of the mostly DIY approach, said Chapman, is that users can authenticate themselves, frequently without help desk support or an on-site visit. Employees renew credentials using an alternate factor, like a token or a response to a personally-identifiable question.

The drawback: A threat actor can still impersonate an end-user if, say, the security question is easy to guess.

“The questions should not be public knowledge,” said Chapman. (No “What’s your mother’s maiden name?” please!)

And people will still likely call the help desk. Companies need to effectively communicate the reset message, Chapman said, also recommending a check-in with any third-party provider about their ability to upscale for an increased number of calls.

Tough calls. There are difficult decisions regarding accounts that have not been reset—a choice for leadership, Oscar Morales told IT Brew, solutions architect at Calian, that should be considered in incident-response plans.

What if your top salesperson, for example, hasn’t responded to messages to renew?

“If a person doesn’t respond, do we just disable the account and wait for them to call back?” Morales said.

But is one renewal method—in-person or remote—more effective than the other?

Unfortunately, no, said Morales; organizations just have to get people up and running as fast as possible: “You’ve got to just tackle the beast.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.