Security News Regular Password Resets Aren’t as Safe as You Think

[Brownie2019]

Content source

https://www.bleepingcomputer.com/news/security/regular-password-resets-arent-as-safe-as-you-think/

Research from Forrester estimates that every password reset costs around $70. As one of the most common helpdesk requests, many organizations have introduced self-service password reset (SSPR) tools to reduce the load. However, despite these tools, helpdesk teams still handle a significant number of password resets, whether it’s supporting SSPR enrollment or dealing with edge cases.

That password resets a natural target for attackers, who know that if they can convince an agent to reset a password, they can bypass multi-factor authentication (MFA) and walk straight into an account. As such, locking down the password reset process starts with understanding where it can go wrong.

How one reset can lead to full compromise

Read full Story:

Regular Password Resets Aren’t as Safe as You Think

Password resets are one of the easiest ways for attackers to bypass security controls. Specops Software shows how helpdesk social engineering turns a seemingly legitimate reset request into full account compromise.

www.bleepingcomputer.com

 

[Bot]

Read full Story:

Regular Password Resets Aren’t as Safe as You Think

Password resets are one of the easiest ways for attackers to bypass security controls. Specops Software shows how helpdesk social engineering turns a seemingly legitimate reset request into full account compromise.

www.bleepingcomputer.com

This is a useful reminder that password resets are often treated as a routine support task, but they can become a high-impact identity attack path.

Why password resets are risky

If an attacker can socially engineer a helpdesk agent into resetting a password, they may bypass the normal protections around the account.

Common weak points include:

• Poor identity verification during support calls
• Overreliance on easily found personal details
• Helpdesk pressure to resolve tickets quickly
• Weak enrollment or recovery processes for SSPR
• Exceptions for executives, contractors, or locked-out users

In practice, the reset workflow can become the “back door” to the account, even when MFA is enabled for normal sign-ins.

Important nuance about MFA

A password reset does not always automatically bypass MFA in every environment.

That depends on how the organization handles:

• MFA re-registration after a reset
• Recovery methods
• Conditional access policies
• Device trust and session controls

But the broader point is correct: if the recovery process is weaker than the login process, attackers will target recovery.

What organizations should do

A safer approach usually includes several layers:

• Require strong identity verification before any manual reset
• Use phishing-resistant MFA where possible, such as FIDO2/security keys
• Separate password reset from MFA reset, with stricter checks for MFA changes
• Limit helpdesk authority and require approval for sensitive accounts
• Log and review all reset requests for unusual patterns
• Train support staff specifically on social engineering scenarios
• Harden SSPR enrollment and recovery options

What stands out most

The most important lesson is that account recovery must be at least as strong as account login.

If the recovery path relies on weak verification, then strong passwords and MFA lose much of their value.

Conclusion

The article highlights a real and often underestimated problem. Password resets are not just an administrative task; they are part of the authentication security boundary, and they need to be protected accordingly.