The password reset is the bread and butter of the Service Desk, and precisely because it’s so routine, it’s where good habits matter most. A reset handed to the wrong person is a door held open for them.
The four steps
Section titled “The four steps”- Verify identity. Confirm you’re really talking to the account’s owner, using your team’s approved method. This comes first, every single time. Never skip it because someone’s in a hurry.
- Reset by policy. Set a new password (or temporary one) that meets your organisation’s rules for length and complexity.
- Force a change at next sign-in. With “change at next logon” set, the temporary password you just saw becomes useless the moment the user signs in: only they know the real one.
- Confirm sign-in. Don’t close the ticket on hope. Have the user actually log in, so you both know it’s fixed.
Common gotchas
Section titled “Common gotchas”- Cached credentials. Phones, tablets, and other devices often keep trying the old password after a reset, which can look like the reset failed, or even re-lock the account. Update the password on those devices too.
- Synced accounts. In many environments one identity syncs across services, so a change can take a short while to propagate everywhere.
- Communicate securely. Share a temporary password through an approved channel, never somewhere it can linger, and never with anyone but the verified owner.