I have been away from the blog for longer than I like - call it summer vacation, but am back now and plan more blog entries in the coming months, so please keep reading the blog.

Today's topic concerns an issue near and dear to everyone that deals with IAM -- the forgotten/lost password.  This is a legitimate business problem, not just from maintaining end-user satisfaction, but it also costs organizations money because they have to staff service desks to help users reset forgotten or lost stolen passwords.  Reducing these service desk costs continues to be a major driver behind organizations deploying identity management solutions to provide user self-service and password reset functionality and automate the password reset process.  The result is lower operational costs as well as an improved user experience (and customer satisfaction).

And while many quote various figures on the internal cost to reset a password manually, the issue is less about the exact cost, but more an understanding that manual password resets are not only costly, but also inefficient.  So today's blog is written in defense of the end-user.

Everyone who invokes the forgotten password problem is subtly implying that users are simpletons who cannot remember passwords and unnecessarily burden the service desk with calls.  While there is no doubt that forgetting passwords does happen (especially for systems that are infrequently accessed), there are other scenarios that lead to incorrect passwords.

Case in point.  I recently received a new work laptop and retired my 4+ year-old laptop.  Our IT staff successfully migrated all my documents and other important files to the new machine without incident.  The problem occurred when I tried to access a few B2C websites.  I had cached the usernames and passwords for these sites on my old machine, but that information was not available on my new machine (lest you chastise an IAM professional for doing such an irresponsible thing -- the cached passwords were only for non-transactional based sites like those that provide content).  And since the password had been cached for years, I had little to no idea of the original password. While there are utilities that can migrate browser bookmarks and cached passwords from machine to machine, a better security policy for password hygiene is to prevent this and force users to reset passwords which is exactly what happened with my new machine.

Enter user self-service.  Thankfully, most if not all of these sites possessed password reset capabilities and I was able to reset my password and access the site's content.  But this experience reminded me that the "forgotten" password is not necessarily a function of amnesia, but could be the result of an external event like a new or replacement PC.  So while this exercise was a bit painful for me in the short-term, it further demonstrated to me the value of identity management and self-service solutions and that forgetful users are not the only reasons for password resets.

*Image used under Creative Commons License courtesy of Horia Varlan.