Everyone loses passwords
Setting a system password is one of the most common, and as we tend to believe, the safest method for protecting data from unauthorized users. As is often the case, this too has a downside.
Our goal is to set a “difficult” password, to make it harder to guess and gain unauthorized system access, but then we forget it, and find ourselves in an awkward situation, caught in a trap of our own making. After this, we may have completely lost system access.
Life is full of unpredictable twists and turns: the system user may, for example:
- forget the password, having made it too complicated and become unable to remember it after a business trip or a vacation;
- make a mistake when changing the password, having entered the wrong character, followed the wrong scheme, or selected too complex a variant from the outset;
- be obstructive, pretending to have “lost” the password (for example, before dismissal, if there had been a conflict with company management or coworkers);
- leave the company or disappear without leaving system access information, (due to negligence or intentionally in retaliation to the employer).
When no other accounts exist in the system, due to security measures, and this is most often the case, the system becomes fully inaccessible.
The loss of a system password is especially inconvenient, since it results in loss of access not only to one or several files, applications, and services, but it puts an entire workstation out of use, with all of the associated consequences.
What are the consequences of losing a system password?
Potential costs
Research conducted by Datamonitor showed, that internal costs for one request for assistance from the company helpdesk with regard to problems with passwords, are between USD 10 and USD 40 (depending on the size of the company). On average, USD 25 or 57 minutes of time spent on resolving the issue by a qualified IT professional every day. Over the course of a year, the average costs exceed USD 150 thousand for large companies with over two thousand employees.
But this includes only expenses related to the time spent by hired IT professionals, not counting the costs resulting from the interruption of other business processes, potential loss of contract and reputation.
The problem is not as critical if the password in question is for an “empty” workstation of an average company manager. Here, the losses may be limited to the time spent by the system administrators on restoring the system to its original state and partial revenue loss from the employee’s inactivity during that time.
But what if access is lost to the server with a client database, company accounting records, or to the CEO’s laptop? This situation may create a host of internal problems, bring company opera-tions to a standstill, and may lead to significant material and operational costs. Here, it is impossible to calculate exactly the total losses to the business, and so there is only one solution – these types of risks must be minimized.
Why not simply reset the password?
If the computer is part of a domain, its personal password can be reset by the network administrator. In this case, the problem is quickly resolved and the password will not need to be restored. This simple approach is the first solution that comes to mind, but taking it could bring serious consequences with it.
For example, what is the best approach if the computer was using EFS (Encrypted File System) or other services, directly tied into the account for which the password has been lost?
The problem is that the EFS-protected files on the drive, are encrypted using the FEK (File Encryption Key), with is stored in the files attributes. The FEK is encrypted using the master-key, which, in turn, is encrypted by the keys of those users that have access to the file. User keys themselves are encrypted by the password hashes of those same users. For this reason, if the user password is reset in the domain, you will lose access to EFS-encrypted data.
If the computer is not part of a domain, the local administrator password cannot be reset.
