Recently, I helped a client recover the password to a Microsoft Excel spreadsheet. In doing so, I came up with a few best practices for password recovery services:
- Prior to starting any work on a password recovery project, the service provider should require the client to sign an agreement where by the client:
- Attests to ownership of the system or file and their right to engage the service provider to recover the password;
- Gives permission to the service provider to recover the password to the system or file; and
- Gives permission to the service provider to access the system or file for the purpose of confirming that the password recovery was successful.
- Best practices for the communication and storage of passwords should be applied to recovered passwords. For example:
- Don’t communicate passwords in clear text;
- Don’t store passwords in clear text; and
- Change passwords if there’s any chance they’ve been compromised.
- The provider and the client should have a reciprocal non-disclosure agreements in place.
Do you have any additional ideas for best practices for how password recovery service providers and clients should work together? If so, leave a comment!