Your IBM i users are human. They forget their passwords occasionally and get locked out of IBM i. But if users have to call IT every time they need a reset, those forgotten passwords are costing you time and money. Considering 20–50 percent of help desk calls are for password resets, the costs add up fast. Powertech Password Self Help for IBM i is a password self-service tool that improves productivity and data security, while reducing help desk costs.
Resetting disabled passwords is an inevitable activity which all companies face, regardless of the systems they use. In the case of IBM i shops, however, it is crucial. This is because most companies with IBM i use it to run their core applications; users who can’t sign on are unable to do the essential jobs that drive their organization’s business.
Password Self Help, a Fortra application, provides administrators with the ability to allow users to reset their own passwords. It is a simple application both to install and to implement, and it provides genuine return on investment for any organization that uses it.
Once in place, it is no longer necessary for external support to assist a user in resetting their password and re-enabling access. The Help Desk staff’s time can then be better spent on higher priority issues and on improving the company’s effectiveness in the marketplace.
Key regulations and standards for IT and the industries it supports dictate that password reset processes must be secure and fully audited. Password Self Help meets both these requirements and does it simply and efficiently. Users are able to get back on the system quickly and securely, and an administrator can track all activity.
Making the Case
- 20% to 50% of all help desk calls are for password resets – Gartner estimate
- The average help desk labor cost for a single password reset is 40 minutes and $70 – Forrester estimate
Many regard these statistics as being too conservative. Even substituting a more conservative amount for the cost to reset a user’s password, the number of users, and how often they need reset passwords results in worryingly high costs – in both time and money. Multiply that number by $25, $50 or $70 to understand how quickly benefits can be realized when using a system which automates and simplifies the process.
Regulations and standards like PCI DSS, Sarbanes-Oxley, and HIPAA have reviewed password requirements and now encourage or demand greater complexity. Some recent changes follow:
- Best practices have established that passwords be changed more often, sometimes as often as every 30 days.
- The number of attempts a user has to authenticate has been reduced to as few as three times before their password is disabled.
- Passwords tend to be longer, often with a minimum password length of 8 characters, and have added complexity, requiring digits in addition to characters.
- IBM i now allows case-sensitive passwords, passwords longer than 10 characters, the inclusion of special characters and punctuation, and embedded blanks.
Setting the Stage
What does Password Self Help do and how does it work? The answer is pretty simple:
Users who have disabled themselves sign on to a profile that presents a selection of challenge questions for which they have previously provided answers. If they answer successfully, their disabled profile is re- enabled and they can sign back on.
Password Self Help can be installed on any IBM i. It is a standalone application that doesn’t require client code on a PC or Windows server. It is simple to install and administer, as it resets only IBM i passwords without any affect to Active Directory user IDs.
Password Self Help can be downloaded from the web and, once installed, only three steps are required to start using it.
- Configure product setting
- Register users
- Enable users to access self-help questions
1. Configure Product Settings
Configuring settings is a one-off event which allows you to tailor Password Self Help to meet your company’s security requirements. Examples of some of the configuration settings are:
- How many challenge questions a user must answer
- Whether the answers are case sensitive
- What rules the answers to the challenge questions must meet
For instance, it is possible to set the minimum number of characters the answer must be, and whether repetition of characters is allowed
2. Registered Users
Users must be registered in Password Self Help before they can reset their password. This provides the security necessary to protect powerful profiles, such as QSECOFR from having their passwords reset.
3. Enable Users to Access Self-Help Questions
The final step in setting up Password Self Help is undertaken by the user. A user must create the answers to the challenge questions presented when they reset their password. A Password Self Help command is provided to give access to the questions and can be run from a command line or embedded in a menu. Users can be assigned their questions or choose which questions to answer.
It would be a serious security exposure if someone were to access the answers to challenge questions. There is no option within Password Self Help to view the user’s answers; only the user can see them. Furthermore, the answers have been encrypted, so viewing the answers file provides no information.
The User Experience
A user-friendly web interface allows users to reset their passwords quickly and easily. There are only a few easy-to-follow steps for a user to reset their password using Password Self Help:
- Enter your profile
- Answer your challenge questions
- Sign on as yourself and reset your password
Once a user has disabled their profile—systems typically disable them after three invalid sign on attempts—they are presented with a screen which requests their profile and reason for the reset. If they have already been registered in Password Self Help and have provided answers to their challenge questions, they will now be presented with those challenge questions.
Assuming the correct answers are provided, the user can create a new password.
Password Self Help has full audit traceability as well as the capability to run reports and track a user’s password reset activities. It can run an audit report to show a full range of user activities and configurations. In addition, its Message Monitor provides alerts to mobile administrators, so they get immediate notification of unsuccessful resets no matter where they are.
Password Self Help is a simple application that can provide real return on investment for any business with almost immediate effect. Industry-cited figures estimate each password reset costs around $70, with 20%–50% of all calls to the Help Desk being password-related. By empowering users to reset and synchronize their own passwords, the immediate reduction in Help Desk calls more than makes up for its cost. The increase in productivity for both the administrator (who previously spent an average of 15 minutesresetting each password), and for the user (who no longer has to sit and wait while their password is reset), enables the company to reclaim the majority of the costs associated with lost productivity.