Research from Forrester estimates that all password resets cost about $70. As one of the most common help desk requests, many organizations have introduced self-service password reset (SSPR) tools to reduce the burden. However, without these tools, help desk teams still handle a significant number of password resets, whether it’s supporting SSPR registration or dealing with critical situations.
That password reset is a natural target for attackers, who know that if they can’t convince the agent to reset the password, they can bypass multi-factor authentication (MFA) and get straight to the account. As such, locking down the password reset process begins with understanding where it can go wrong.
How a single reset can lead to perfect harmony
The April 2025 attack on UK retailer Marks & Spencer (M&S) disrupted operations across the country, resulting in a 5-day shutdown of online sales that equated to an average of £3.8 million ($5.1 million) in daily losses.
Attackers linked to the Scattered Spider hacking group are believed to have gained initial access by posing as an M&S employee and contacting a third-party desk. A password reset is performed, giving them legitimate credentials thus eliminating the need to exploit any technical vulnerabilities.
From there, the attackers used the active directory to extract the NTDS.dit file, a database that stores passwords for all domain users. Scattered Spider was able to split those hashes offline to recover additional credentials.
With valid accounts and increased privileges, attackers move sideways using common tools and common login activity, extending access to a few weeks. Once they have enough privileges, they deploy ransomware, encryption systems that support payments, e-commerce, and logistics. IM&S was forced to take services offline, disrupting operations and customer transactions.
Securing the service desk
The challenge with social engineering attacks like the M&S breach is that it doesn’t seem suspicious. From the help desk’s perspective, it’s just another user requesting a password reset.
This is why the service desk is such a target, and why relying on basic checks is not enough to protect the reset process. Without a reliable way to verify who is on the other end of the call, it’s easy for a common request to become a loophole.
Solutions such as Specops Secure Service Desk mean that help desk teams can verify a user’s identity before any reset takes place. Instead of relying on guesswork or guesswork, agents can trigger a one-time code on a trusted device or use existing identity providers like Duo or Okta.
Every application follows the same steps, and verification is optional or operator dependent. This means attackers cannot rely on the same tactics used in the M&S case. Even if they have valid background information, they still need access to the user’s registered device or ID feature, something that is very difficult to spoof over the phone.
Verizon’s Data Breach Investigation report found stolen credentials were involved in 44.7% of breaches.
Easily protect your active directory with compliant password policies, prevent 4+ billion compromised passwords, strengthen security, and reduce support issues!
Try it for free
Password reset best practices
For organizations that already have a solution like Specops Secure Service Desk in place, the following best practices will help teams ensure that those standards are applied consistently.
1. Encourage self-help where possible
Not all password resets need to go through the help desk. In fact, reducing that dependency is one of the easiest ways to reduce both cost and risk.
If you already have a self-service password reset solution, the focus should be on getting a drive. Make sure users know how to register, understand how it works, and feel confident using it when needed. This can be as simple as creating a short guide with clear onboarding instructions for new users.
2. Use secure, temporary information
Even a guaranteed reset is risky if the hand-off is weak. Providing a temporary password over a voice call or sending it in an anonymous email creates a window of opportunity for contacts. Temporary evidence must be strong, one-time use, and delivered over an encrypted channel. If the reset remains active for longer than a few minutes, it is at risk of stopping.
3. Monitor the password reset function
Tracking how and when resets occur can highlight both security vulnerabilities and processing gaps. Look for patterns like frequent resets, repeated help desk requests, or users struggling to help themselves. This can indicate anything from a bad user experience to potential abuse.
Regular monitoring helps to reinforce good habits. If users aren’t taking help themselves or are repeatedly running into problems, it’s time to step in with clear guidance. In the long run, this appears to reduce the burden on the help desk and make resets more predictable and, importantly, more secure.
4. Equip and train the help desk
The help desk still steps in when something doesn’t follow the usual path, or users need additional support. That only works if they have the right tools and clear direction. Identity verification must be consistent, not left to judgment.
Agents should also have visibility into the reset function and a defined policy to follow the ambiguity at all times. With the right setup, the help desk becomes an important control point in preventing unauthorized access.
Protect your password reset with Specops
Attackers don’t need to hack if they can simply request access, so verifying identity during password reset requests is a must. With the right tools and a solid process, the help desk becomes a strong line of defense. Without them, it’s an easy entry point.
If you’re looking to strengthen your password reset, Specops can help you put the right controls in place.
Contact us today or book a demo to see our solutions in action.
Powered and written by Specops Software.
