Recently, I helped a client recover the password to a Microsoft Excel spreadsheet. In doing so, I came up with a few best practices for password recovery services:

1. Prior to starting any work on a password recovery project, the service provider should require the client to sign an agreement where by the client:
   1. Attests to ownership of the system or file and their right to engage the service provider to recover the password;
   2. Gives permission to the service provider to recover the password to the system or file; and
   3. Gives permission to the service provider to access the system or file for the purpose of confirming that the password recovery was successful.
2. Best practices for the communication and storage of passwords should be applied to recovered passwords. For example:
   1. Don’t communicate passwords in clear text;
   2. Don’t store passwords in clear text; and
   3. Change passwords if there’s any chance they’ve been compromised.
3. The provider and the client should have a reciprocal non-disclosure agreements in place.

Do you have any additional ideas for best practices for how password recovery service providers and clients should work together? If so, leave a comment!

Clint Laskowski

Hello! My name is Clint Laskowski, and I'm an Information Security Professional who helps clients identify, assess, treat, and monitor risks to information and information systems. I'm also very interested in web development and the Milwaukee-area startup scene.

More Posts - Website