89

I work for a help desk, and we recently launched an online service where our members can log in.

A problem we are having is that users who are calling us often ask us to confirm that the password handed in to them is correct. By doing so, they disclose their password over the phone. How can we prevent this?

It is mentioned in the sign up mail that they mustn't disclose their password, and we mention it whenever we feel they are going to disclose it to us.

About the users: Around 90% of our callers are first time callers. Since they're doing it the first time they call, it's difficult to educate them. They are pensioners, so they usually have less experience of authenticated services than the average computer user.

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
Terry
  • 1,125
  • 1
  • 9
  • 16
  • 12
    If they give you their password in order to query something else about their account, create a support PIN system. This PIN would be in their account & provides an alternative (but less secure) method than a password. – AStopher Jan 11 '16 at 14:00
  • We have access to all the information and support facilities without needing to know their passwords, so a pin system wouldn't help with this. Also, the people calling for support are usually first time callers. – Terry Jan 11 '16 at 14:19
  • 1
    I've worked a helpdesk job, and we just didn't have access to their passwords. Now of course people still try to give you their password, and I did my best to not remember them. As long as employees don't have access to it, then get them in the habit of telling them they can't see their password for security reasons. Then suggest they reset their password if they have problems with it. That's what we did, but people want to call in to verify their passwords because of their own behavior. Find a way to inform the customers how to manage their passwords better, which may or may not help. – dakre18 Jan 11 '16 at 14:33
  • We do have a facility to reset but we still get the calls. With its being in house support, and support the public, it can be difficult to know who the person is. – Terry Jan 11 '16 at 17:34
  • 27
    "calling us to clarify their passwords": What does that mean, *clarify*? Do they tell their passwords to identify themselves? Or do they want it to get changed? – unor Jan 11 '16 at 18:43
  • 7
    @unor There is no reason for them to tell us their password. They are literally calling, and whilst we are working out if they are internal or external they go "my password is x is that right?". It is odd because I have never had this issue before. I also want to note that these people are pensioners some of them are very old. – Terry Jan 12 '16 at 08:41
  • 1
    Perhaps you can sidestep the problem by requiring your customers to identify themselves with a less sensitive piece of info? See my [updated answer below](http://security.stackexchange.com/a/110267/42360) for an example. – Kjartan Jan 12 '16 at 12:54
  • 5
    This sounds like a UX question more than a security question. – Rick Jan 12 '16 at 13:39
  • 2
    Honestly? We've been hammering "don't tell anyone any of your passwords" in one form or another for 30 years now. If they haven't figured it out by now, they won't. I doubt there is much you can do. – Shane Jan 12 '16 at 23:32
  • I cannot see the problem, really. The helpdesk workers are not trustworthy? – Peter - Reinstate Monica Jan 13 '16 at 09:09
  • 1
    @peter a. Schneider it's all about accountability. – Terry Jan 13 '16 at 09:48
  • 1
    @Terry I think it'd have been key to point out that your user population is very illiterate. For this specific context I find mk444's answer of much higher benefit than the top answer. Posting to UX might be a good solution too, but make it excessively clear that you're dealing with simplfying the auth process of an illiterate population so people don't dispense their opinions, but solutions that have worked for similar user bases instead. I'll propose an edit to clarify the situation in your question. – Steve Dodier-Lazaro Jan 13 '16 at 11:19
  • @SteveDL That was a very dramatic edit, so much so that I went to flag the question as a duplicate of the "original" – Shelvacu Jan 14 '16 at 16:21
  • 1
    _"Thank you for calling the help desk. You will be forwarded to the next available officer in a moment. Please do remember that help desk personnel cannot assist with questions regarding the validity of your password, nor is any such information available to them."_ ... Beep. – Damon Jan 14 '16 at 16:30
  • @shelvacu He managed to get out what i was trying to ask, so it was a good edit too. – Terry Jan 14 '16 at 16:35
  • 1
    *"Thank you for calling the helpdesk. There is a 15 second delay on this phone line, to allow an automated censoring system to identify and remove any passwords spoken during the call. If you are certain you will never say your password during the call, you can upgrade to a call without any delay for a one off payment of $4.99..."* "My password is BEEEEEEEEEP is that right?" – TessellatingHeckler Jan 14 '16 at 17:43
  • 1
    I am surprised no one has asked what "handed in to them" means. Is someone besides the user setting his/her password? Why? – Michael Jan 14 '16 at 19:20
  • The idea that I am not supposed to trust the helpdesk has always seemed Kafkaesque. Who the hell can I trust then? –  Jan 16 '16 at 20:13
  • 1
    @nocomprende There is no reason you should need to trust a person with your password, so doing so can only *add* risk. – dmckee --- ex-moderator kitten Jan 17 '16 at 05:05
  • @dmckee So, what *can* I trust anyone with? Anything? Whom can I trust? No one? This is not a world that people should be living in. –  Jan 18 '16 at 23:55

16 Answers16

90

Ensure there is a method for users to reset their own passwords, and make a policy whereby the helpdesk will initiate a password reset if a password is revealed to them.

Users will tend to phone up when they can't log in, and therefore triggering the same password reset process as they can themselves results in them slowly learning that it doesn't help to phone up.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • 12
    I'm not sure the learning part is relevant, as time progresses your userbase will get refreshed with new users. If the first 100 learnt that calling is useless, that doesn't mean the next 100 will understand that any sooner. – Kevin Jan 11 '16 at 14:07
  • 5
    Educating users would be difficult as these are first time callers in 90% of cases and most of them have never used a computer for anything other than to check emails. – Terry Jan 11 '16 at 14:20
  • I took "helpdesk" to infer a more internal structure, so supporting a known pool of employees, for example, rather than an externally facing support line. It's a harder problem for an environment where you have no control over users - maybe a standard script would help, as @silverpenguin suggests in a comment to another answer here. – Matthew Jan 11 '16 at 14:38
  • 92
    Personally, if someone is already unaware that they should not tell the helpdesk their password, then reactively resetting their password would most likely make them angry - even if it's good practice to ensure that only they know their password. If it's extremely sensitive information, it's a must. Otherwise, I think having some kind of a recording before a call is picked up might help - "Your call may be recorded for quality assurance purposes. Remember to never reveal your password to anyone - including the Help Desk." – Jake Jan 11 '16 at 15:49
  • Possibly, which is why there should be a very clear method of allowing users to manage their own passwords. Passwords are a rubbish method of verifying users, but we're probably stuck with them for a while. There is a distinction between someone phoning saying "my password is 'password1' and it's not working" and "I'm having a problem, my username is 'username' and my password is 'password1' - can you log in and fix it?" – Matthew Jan 11 '16 at 15:55
  • @Matthew Your example is very true. Before we even know whether they are internal or external most have already told us their password. – Terry Jan 11 '16 at 17:38
  • 3
    @Jake I completely agree with this answer. However, I think it would be wise to phrase the message slightly differently. Blatantly saying "Don't tell the help desk your password" would put a huge amount of distrust into some customers that have limited technology skills, which is not what you want. – Luke Park Jan 11 '16 at 22:09
  • 13
    @Luke Park: the standard wording for this is usually something like "our representative will never ask you for your password". People hopefully gets that this means they're not supposed to tell their password, without imparting a feeling of distrust. – Lie Ryan Jan 12 '16 at 11:48
  • 1
    Assuming that your helpdesk agents are trustworthy, revealing the password to them over a relatively secure phone line probably isn't a serious security compromise. It merely puts the agent in an awkward social situation. Therefore, forcefully resetting their password is basically inflicting a punitive educational lesson. That said, if someone e-mails me their password, then I do consider the password to be compromised, and I will force-reset it. – 200_success Jan 13 '16 at 04:52
  • 1
    @200_success: Phone lines are not secure unless encrypted. And even if *your* side is following good procedures, everyone in the caller's office (and probably the next office down the floor) has now heard the password. Actually, if it's possible to *tell* the password (in one word), it's a very weak password to begin with... – DevSolar Jan 13 '16 at 14:40
  • @DevSolar Well, unless you use a _passphrase_, of course. Although those _are_ more than one word. – Blacklight Shining Jan 13 '16 at 15:45
  • Over two years ago, my company released an automated password reset tool that can reset passwords for AD, SAP, AIX, and many other systems we use. And yet, 65% of the calls to the helpdesk are for resetting passwords. – corsiKa Jan 13 '16 at 20:28
54

Unfortunately some users will always do this but you could add some audio to the introduction message and hold music, reiterating that users are not to provide passwords over the phone.

16b7195abb140a3929bbc322d1c6f1
  • 3,334
  • 4
  • 15
  • 20
  • 5
    We currently don't have any audio before we answer at all. I guess that should be implemented really. – Terry Jan 11 '16 at 12:32
  • 49
    then maybe there should be agreed upon phrase as you answer the phone "hello welcome to sneaky hookups, Just a reminder you should never disclose your password to me, My name is terry I will be assisting you today" – TheHidden Jan 11 '16 at 12:44
  • 5
    If you don't have an introductory recorded message for callers you could just train your staff to say something appropriate when picking up the phone: E.g. *"Hello, Acme widgets, we never need, ask for or know your password -- how can I help you"*. Clumsy but brainstorming with staff might produce something they could be comfortable with.. – RedGrittyBrick Jan 12 '16 at 18:28
  • 3
    @silverpenguin it is pointless for the helpdesk person to say it because if they were upto no good, they could simply not give that warning! The whole gist of this question is that you don't trust the helpdesk staff or it would not be an issue. – JamesRyan Jan 14 '16 at 14:40
  • @JamesRyan I do agree with you but there seems to be very limited options other than a pre recorded message – TheHidden Jan 14 '16 at 14:46
  • @Terry one point, you can easily [A/B test](https://www.smashingmagazine.com/2010/06/the-ultimate-guide-to-a-b-testing/) different audio messages to see which message best conveys the ideas that *(a)* users musn't disclose their passwords to anyone and *(b)* your staff don't know the passwords and cannot confirm them. A testing approach here is much faster and efficient than arguing over whether people will understand this or that. Just remember to test *one thing at a time*. – Steve Dodier-Lazaro Jan 14 '16 at 16:40
  • 1
    @Terry If you don't have any automated hold music/messages, then great job! Genuinely, keep it up. Doesn't help with this particular problem, but I just wanted to say good job. Everybody hates automated messages and the customer service benefit of not having them is usually very high. – Mark Henderson Jan 14 '16 at 20:17
  • @MarkHenderson some people do seem surprised when a person answers within a few seconds. Sometimes they aren't even on the other end yet. – Terry Jan 14 '16 at 22:03
  • @JamesRyan: It's also about people listening in to the call. – Lightness Races in Orbit Jan 15 '16 at 01:01
  • 1
    _"Thank you for calling the helpdesk. Please be advised that 78.6% of our help desk technicians have served prison time for identity theft. For this reason, NEVER reveal your password over the phone, especially to a help desk technician. We will now forward you to the next available help desk technician..."_ Then you just change your hiring policies to make that statement true... – xdhmoore Jan 16 '16 at 17:51
15

Simply put, there's no way of stomping this out completely. There are policies and procedures you can put in place to reduce it, though:

  • Send out Security Awareness messages (standalone, or footers to other messages) reiterating that passwords are private and should never be given out to anyone.
  • Train Helpdesk staff to cut customers off before they can give their password out.
  • Implement a policy whereby if a customer gives a password out to the helpdesk, that password must immediately be reset.
  • Ensure that self-service sections are prominent and well advertised (for password resets/recoveries).

Most of these come with an associated cost to service (inconvenience, usually, and additional paperwork), which should be considered before implementation, but that's the general direction.

Jozef Woods
  • 1,247
  • 8
  • 7
  • 1
    "if a customer gives a password out to the helpdesk, that password must immediately be reset" is the best statement made so far in this entire post. – Mawg says reinstate Monica Jan 12 '16 at 08:16
  • We already of set their passwords to expire when this happens. – Terry Jan 12 '16 at 12:00
  • 7
    @Mawg not really - either a) the helpdesk staff is trustworthy and not going to abuse the account themselves in which case - no harm done. or b) the helpdesk staff is untrustworthy, will not reset the password, and will abuse the account. Having the helpdesk staff member reset it does not fix the security problem here. The main security issue is that they tell people their passwords, and may tell someone else. Educating the user is the only sensible (and practical) thing to do. – gbjbaanb Jan 13 '16 at 10:31
  • @gbjbaanb It's not a measure to combat untrustworthiness in the Helpdesk, it's a measure associate a user's distribution of their password with compromise. You can only control helpdesk procedures, but you are invalidating credentials which have been passed on, and helping the customer to understand that handing out passwords leads to the passwords being bad. – Jozef Woods Jan 13 '16 at 10:48
  • 1
    @JozefWoods exactly - helping the customer to understand is the important factor. Resetting the password is irrelevant (though often a sensible procedure, the OP says that in this case it would be counter-productive) – gbjbaanb Jan 13 '16 at 11:53
14

I think in addition to the immediate password reset it might be appropriate to remind users of the terms of service (sample terms of service).

You are the sole authorized user of your account. You are responsible for maintaining the confidentiality of any password provided by You or Zimride for accessing the Service. You are solely and fully responsible for all activities that occur under Your password or account. Zimride has no control over the use of any User's account and expressly disclaims any liability derived therefrom. Should You suspect that any unauthorized party may be using Your password or account or You suspect any other breach of security, You will contact Us immediately.

Tell the user that they have violated the terms of service by disclosing the password and that you are resetting the password to put them back in compliance.

It also depends on what kind of service you are providing. For me personally, if I attach no monetary value to my account, then I won't likely care much about the terms of service. On the other hand, if I am asking about my retirement account and it is implied that frequent violations of the terms of service may be used as evidence to absolve the company from financial liability in case of a security breach, I will definitely pay attention.

For example, some hackers steal my money using an unrelated security breach but the company does not want to make good so they use my password disclosures as evidence of my carelessness.

emory
  • 1,560
  • 11
  • 14
  • 13
    Telling a user they violated something isn't really going to endear you to your users. Nobody likes being told they just did something wrong, and then having their hand slapped by resetting their password. Doing this would only lead to less happy customers, who might just go somewhere else. – Steve Sether Jan 11 '16 at 16:34
  • @SteveSether I think you are right. This is a sensitive area. If the bank is going to use the password disclosures as evidence of password carelessness in order to get out of liability, the bank should warn the customer. It would probably just be better to mandate 2FA for habitually password careless customers. – emory Jan 11 '16 at 16:51
  • 14
    To address @SteveSether's concerns: Rather than saying they "violated" something, simply say "according to our security policy, only you should know your password, so now that I know it, I'm required to reset it. I'm sorry for any inconvenience, but we have to protect your account from unauthorized access". – Monty Harder Jan 11 '16 at 17:40
  • 5
    @MontyHarder It would be more amusing to phrase it as, "Now that I know your password and username, I plan on going home and logging into your account. Would you like to reset your password so I can't get in?" - but I don't think they would find it as funny as I would, something about ruining their trust with company employees doesn't usually go the best for everyone involved. – DoubleDouble Jan 11 '16 at 19:33
10

I have a simple process that taught users pretty rapidly to not give us their passwords. If a user tells you their password do the same thing you would do if you knew the user told someone else the password, force them to set a new password. Finish the call / interaction and then inform the user that for security you need to now reset their password, to please remember to never tell anyone (Including their manager or IT staff) their password and if they ever do to inform IT immediately so you can reset it.

Nick Young
  • 209
  • 1
  • 4
9

You could have asked this on UIX.StackExchange - here nobody seems to ask the question "Why are they telling you their password ?". I think trying to educate people with audio messages or warnings won't cut the deal. Most people know they shouldn't tell their password anyone without a good reason.

If so many people call your support to assert "P4ssW0rd is my password, right?" It seems your user interface leaves them clueless if that really is their password. This could have multiple reasons - if you have old clients it could simply be, that they forget their password, but people who know they cannot easily remember stuff would usually write it down.

Maybe they have problems logging in and get the usual "You have entered a wrong user name or password" message - It is natural to ask support if the username or the password you entered was wrong. Maybe they get the same message if their account is locked? Or maybe they get their first password via mail and it doesn't "look" like a password. Or the application doesn't make it simple enough to know what your password is.

You should ask users why they need to clarify their password and you will probably find a reason in communication with the user / in the user interface which leads to so many people feeling the need to clarify their password via phone.

Falco
  • 1,493
  • 10
  • 14
  • The interface is actually very simple. They put in their email address, pick a password, then pick a secret question. They then receive an activation link confirming their username and a link to log in. It seems they can't remember what the password is shortly after setting it. As I mentioned earlier a fair few are pensioners. – Terry Jan 12 '16 at 11:58
  • 1
    You could clearly state for the registration "You will need this password and this name to login, please remember them carefully" On the login-form you can maybe provide a Link with a nicer Message like `Can't access the site / Not sure how to log in?` And give them an easy process with pictures how to reset their account. - You can also send an activation-link in the E-Mail which will automatically log them in. – Falco Jan 12 '16 at 12:17
  • 2
    Simplify, simplify, simplify. @Falco's points are all excellent. Regardless of how you tackle preventing the leaking of information that disturbed you in the first place, it must originate in some flaw or worry of a form or another. The best would be to find out why that happens. Without knowing the reason, you won't know what to redesign. – Steve Dodier-Lazaro Jan 14 '16 at 20:54
8

Update with a new proposal for a solution:

What if you started each conversation by asking a customer for the answer to some pass-phrase that only he or she should know? A similar option has been used as an extra measure for a long time at a company I used to work for, where security is relatively high, and I have a hunch it just may help sidestep problems like yours.

The way this works is as follows: When a customer calls and gives his or her name, you look up their info, including a plain-text question and answer set. Now immediately ask them to verify their identity by answering the question, which you read to them.

What would this achieve?
Two things, I would hope: Firstly, it should improve your security, even if only marginally. The information may be stored in plain text, with everyone working at the help desk having access, and it would probably be the case that many of the answers would be easily guessed, especially if an attacker did a little research before calling you. Even so, this should still make it just a little more difficult to impersonate one of your customers over the phone without triggering any suspicion.

Secondly, and more importantly for your particular problem, this should make it clear to the caller that you have in fact identified them, and are looking at their customer data right now. The idea here is that you actually allow your customer to be helpful. That is, after all, probably why they are so eager to give you their passwords, right?

In essence, you will then be providing them with a simple way to identify themselves without disclosing the more sensitive piece of info that is their personal password.

My previous answer:

You can and should keep trying to educate your users about issues like this, but there will always be users who are ignorant of this, or who do not take it seriously. Whenever that happens, make sure to politely inform your users once again about it, and tell them you have a policy that requires them to reset their password now that it has been revealed.

If this is a recurring problem, you might also want to look into why this happens. Do people at your help desk actually require access to customers accounts, even if only for a short period to help them out? Perhaps you can find some solution where temporary access is given with a temporary password? If this includes an advertised solution making it simple for you to help your users, while also obvious for them that you can get access without them having to provide their passwords to you, then perhaps they won't feel the need to "help" you access their accounts?

Obviously this would require logging each time an employee accesses a users account, preferably with a short description of why, and what was done, etc., along with a strict policy concerning confidentiality and guidelines about what employees can and can not do, etc.

Kjartan
  • 999
  • 11
  • 17
  • 3
    Ugh, no. Haven't we learned by now that [““security questions”” are nothing more than potentially devastating theater](http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/)? – Blacklight Shining Jan 13 '16 at 15:51
  • 1
    I see your point, but this depends on how you use them though. I specifically differentiated this from more the sensitive concept of personal passwords. Good training for help desk employees is vital here: Just because you apply this simple test to heighten the bar for impersonation a little, does not mean you can't also say e.g.: "*Sorry, I can't give out personal information from your account or change your account details over the phone, but if you like, I can reset your password for you so you can do it yourself. The new password will be sent to the email registered to your account*". – Kjartan Jan 14 '16 at 05:28
  • It depends on how you use them? How about _not at all?_ The rest is fine: offer to email a password reset link to the address already on file, and nothing else. That's what most websites do, too. If that's how everything worked, things would be a lot less bad. You start having serious problems when you offer password resets on correct responses to questions a private investigator could figure out, or when you let anyone call up and change account information (and then call back and use the changed info to gain access to the account). – Blacklight Shining Jan 16 '16 at 03:40
  • I specifically said that no information should be given or changed, so I'm not sure what you are getting at here. Letting someone at a call desk reset your password is nothing more than any random person could do by clicking the relevant link on a website. – Kjartan Jan 21 '16 at 08:12
3

I just wanted to throw this in on top of the other options here (which are good.)

I'm not sure what kind of phone system you're using, but in addition to the ones suggested above, would it be possible that a short automated audio message gets played to the user calling in informing them not to share their password with any service reps and all that? This automated message could both educate users before they get to reps, as well as prevent against any malicious rep asking for passwords (not sure how much of an issue that is there.)

Thomas F.
  • 131
  • 1
3

I am posting this comment as an answer as I think it is a very good answer to the question

Personally, if someone is already unaware that they should not tell the helpdesk their password, then reactively resetting their password would most likely make them angry - even if it's good practice to ensure that only they know their password. If it's extremely sensitive information, it's a must. Otherwise, I think having some kind of a recording before a call is picked up might help - "Your call may be recorded for quality assurance purposes. Remember to never reveal your password to anyone - including the Help Desk."

-@Jake

Community
  • 1
User1
  • 3,041
  • 5
  • 23
  • 30
1

Another one coming from the left field, trying to stop the leak, rather than mopping the floor.

If your password contains letters and numbers, quite often we get a lot of problems with non monotype fonts. '1' 'i' 'l' all looks the same '0' 'O' also. So perhaps use a picture, or force the browser to use monotype, when displaying their pass?

Or get your pass algorithm to not use any of the above.

wuxmedia
  • 111
  • 2
1

Usually it is a symptom of poor communication, procedures, organisiation, policies and strategies by the company toward the customer.

For some of my bank acounts, even I can't understand what the 'letter' or 'email' is on about between the Pin, security phrase, security number, password, customer ID, login name, login name, email address, email address and another email address, all of which are sometimes different and sometimes not. (note the duplicates!). Then there are the two factor ID cards and codes to follow that..

E.g. my ISP required me to enter an email address to create an account to get their service which provided an email address [see (1)], and then my telephone ADSL ID was also 'an email address'. So which do I log in with - both depending on the web page!

No wonder folks are confused and the security is compromised by all those supposedly security enhancing 'schemes'.

Then I try helping my elderly in-laws (87 & 90) with hearing aid difficulties etc.

It is about management of risk and consequences (actually it's Hazards, Probabilities, ...).

Make sure the communications department improves the format and layout of those emails, and that they can't be confused with any other similar sounding item (i.e. remove one, so there are NO similar sounding items!)

Philip Oakley
  • 111
  • 5
1

I think it's best to have an automated message thru IVR telling them explicitly that-

For security purposes please never provide your passwords to our Help desk Representatives ...

before they even talk to your support team.

I hope it helps! :)

Franco
  • 169
  • 5
0

I suggest you back up and ask yourself why the users are doing this in the first place. What occurs to me is that they can't log in, and are trying to determine if they forgot their password or something else is wrong - the account is blocked, they have the wrong user name, etc.

Your problem is that the innocent user trying to fix his access problem is mixed in with malicious attempts to get access to accounts by human engineering your support staff. Unfortunately, it probably won't work to just ask the caller he is a real user or a criminal.

I don't have any answer for you - any information your staff is willing to provide or confirm is potentially part of an attempt to gain access by someone who should not.

ddyer
  • 1,974
  • 1
  • 12
  • 20
0

People are used to trusting the people that they ask for help, else they would not ask them... Doctors, therapists, auto repair, appliance service, etc. For example, yesterday I took my car in to the shop for a repair. It would be absurd if they said, "Do NOT under any circumstances give any of our staff (or any other person) the key to your car!" Inside my car were the usual documents which show my name and address (car registration paper, insurance documentation) and I also have a key to my apartment hidden inside the car as well (in case I ever lock myself out somehow, and there is a spare car key in my wallet). It is possible that bad people work at the car shop, but unlikely.

But in any case, no one can "hack in" to my apartment or steal my car without actually being here, so I don't have to worry about trusting 99.9999% of the world's people. If I misplace my car key in New Zealand, it won't be a problem. If someone in Romania gets a copy of my apartment key, still no problem. So, the point is that the electronic world is just different.

I think that the solution is to make it more like the real world: no one living outside my home town should be able to access my bank account remotely. If I bought gas at home using my credit card, and someone tries to use it 2000 miles away an hour later, it should just fail. (And, it did once. Bravo to my Credit Union for automatically doing what was best for me without me ever asking or having to pay for that!)

You can't explain to people or prevent assumptions based on a world of verifiable trust if the world you are "selling" has no such benefits. Change the world that you are selling to people. Make a password that has been stolen as useless as my car key is in New Zealand. Technology has to work for people, not the other way around. IF the things you create are not secure, work harder. We have improved the safety of airplanes, cars and electricity dramatically, we didn't just say, Oh, Well, more education needed.

0

I work for a help desk, and we recently launched an online service where our members can log in.

It is unfortunate that a design problem rears its head and you, at the frontlines, have to deal with it, when it should be the architects who should have to answer to the feedback provided in this QA.

I note two things (emphasis mine):

A problem we are having is that users who are calling us often ask us to confirm that the password handed in to them is correct. By doing so, they disclose their password over the phone. How can we prevent this?

and:

Around 90% of our callers are first time callers. Since they're doing it the first time they call, it's difficult to educate them. They are pensioners, so they usually have less experience of authenticated services than the average computer user.

The problem here isn't the design of the password system, the problem is the use of passwords in the first place, by an unsuitable audience.

If I were designing this system, I would avoid passwords, or otherwise, provide a suitable alternative means of authentication for a less-technical audience. My preferred options include:

  • One-time-passwords from an RSA Key or similar (used in a single-factor authentication system),
  • Client-side certificates from either a smartcard or virtual smartcard (secured with a PIN) or from a secure USB dongle
  • "Picture Passwords" (a series of clicks/taps on a large image), from an infosec perspective this is the same as a password and it is plausible that it is less secure if the click-point-sequence is obvious, but it makes it harder to forget, and doesn't lend itself easily to being shared over the phone.
  • Use PII (personally-identifiable information) as a password. In the US, one's social-security-number often serves in this place, as (generally) everyone knows it should be kept secret, yet people seem okay with their banks' websites asking for it to confirm their identity - perhaps a less critical analogue could be used, such as a birthdate and current street name, though these are hardly secret, if the system uses numerical or randomly-assigned user-IDs (as opposed to email addresses or freetext usernames) this would be just-as-secure as a password, provided users do not leak their user-IDs.
Dai
  • 1,686
  • 1
  • 13
  • 20
  • Somehow we have to find a way so the computer knows "its me" without having to do anything, and which cannot be stolen or spoofed. If it needs to read my DNA, so be it. If I need to have 100 RSA key RFID tags embedded randomly in my body, so be it. This nonsense about having to prove who you are and even then it can be "stolen" is absurd. –  Jan 19 '16 at 00:00
-1

The risk here seems to lie more on the side of the help desk technicians who are getting told the password. If you can't trust them not to abuse the knowledge then, you have a problem to fix.

Getting users to stop giving their password is a matter of educating them. That should happen as needed when it occurs.

If a user gives a password to a help desk person, there should be a process in place to lock that password and force them to create a new one. Again, you have to trust the help desk person to initiate this, but that's why you'd vet them before being hired.

willc
  • 652
  • 3
  • 9
  • This is not a matter of trust of the Help Desk people. Calls are logged, transcribed, etc. There are many ways the content of the call can be transferred to others. The rest of your answer is covered by Matthew's answer. – schroeder Jan 13 '16 at 18:52
  • I'm not sure who Michael is, but how does logging or transcribing calls prevent Help Desk Employee X from going home and trying to see if User A's known password and email combo get them into User A's bank account, email account, or Facebook account? – willc Jan 14 '16 at 20:11
  • 1
    Quite the contrary. Whomever can access the logs and transcripts is an additional liability that you need to account for. – Steve Dodier-Lazaro Jan 14 '16 at 20:55
  • @geekamongus Sorry, Matthew, not Michael – schroeder Jan 14 '16 at 21:56
  • @geekamongus The first paragraph seems to suggest that if you can trust your help desk people, then you have nothing to fix. My point is that the problem exists apart from trust, and even apart from the help desk. The rest of your answer seems to echo other answers. – schroeder Jan 14 '16 at 21:58