|"Treat your password like your toothbrush. Don't let anyone else use it and change it every six months"
Password security is always on our minds. The NYS Comptroller's Office technology audits love to list this in audit reports as an area that needs improvement.
People don't like change, so we often hear about pushback from teachers and staff to forced password resets. The same thing is true on introducing multi-factor authentication.
Then there is the reality that in this Chromebook/Google Apps/Active Directory hybrid world realizing that you need to change your password soon and actually changing it easily are two different things.
There is nothing more frustrating or destabilizing than getting locked out because you never knew that your password was about to expire. This is often the case with Chromebook and Virtual Desktop users.
Then the question is how do I make sure users actually know they need to change their password soon and how do users easily change their passwords without a helpdesk call?
For any district, I have a rather simple and easy way to notify your users and your technical staff via email that a user's password needs to be reset in "x" number of days. Unlike Microsoft-only solutions, this will work regardless of whether you are Exchange, Office 365 or Google or something else. It takes only a few hours or less to do depending upon your environment and requires nothing special that you don't already have. This directly solves, in a timely, automated manner, making sure that your users know they need to change their password soon.
For the how do I change your password part of the question, users can simply sign onto a Windows machine and reset it once they know they need to reset it and that should flow to your other environments.
However, the issue becomes much more complex if you are a user who lives on a Chromebook or a Mac or other non-domain joined, Windows device. Then actually changing your password may be rather challenging. CSI has self-service password options accessible by the web that can be implemented to allow those users to quickly change their passwords wherever they are located. Pure Microsoft Active Directory/Office 365 districts without Google can either implement the same password self-service solution or certain levels of Microsoft licensing offer a self-serve option from the internet that flows back into on-premises Active Directory. Unfortunately, the Microsoft options cannot be used if you are also syncing to Google Apps because Microsoft won't pass a cloud-based password change to Google and Google will never see the Azure to Active Directory password change.
If you'd like CSI to implement the password notification framework in your environment and/or talk about password self-service strategies that will work in your district, please give us a call.