Our IT department was configuring a new Laptop for me, and they contacted me stating they need to reset my password so they can do the final stage of the set-up.
Seems like a terrible process to me. Why do they need to impersonate me to configure a Laptop? Surely their privileges should be suitable to do their work?
I try to carry on with my work, but after my machine locked, I tried my new password but it wouldn’t let me in. I tried my old password and Windows accepted it, or at least initially. I then got the pop-up balloon that stated Windows needed my new credentials. So I locked my machine, tried to log back in, and Windows said I was locked out.
So I called IT and they unlocked my account but I still couldn’t get in. The IT guy said he would reset my password again. For security, he said I needed to state my line managers name. I said Alan. He said it was wrong, it is Louise. I said I had switched a few weeks ago. He reset my password.
There’s a couple of things wrong with this approach. I know quite a lot of people’s line managers, and this is information you can look up inside the company. So if someone is off on annual leave, I could ring up IT pretending to be my target, ask to reset the password, state their line manager’s name, and there you go; I have access to their emails and can do whatever I want under their name.
If I was an external attacker, I might not know their manager, or maybe I would have old information and could tell them their old manager. The IT guy should have just said I was wrong, and not tell me what the answer is. Anyone could say “oh yeah I’ve switched managers and your system is wrong”. Even if he did refuse to reset the password, I could just call again with the new information.
Why would you do something as major as resetting a user’s account when the supposed user got a security question wrong about themselves?
Stranger Coding Tings 