Kisco Solidifies Self-Service Password Reset Tool

August 19, 2014 Alex Woodie

Kisco Information Systems has significantly improved its self-service password reset tool for IBM i, iResetMe. With version 2, unveiled this month, Kisco has made the tool more automated and easier to use. And by adding support for stronger passwords and by encrypting challenge questions, it has made it much more secure as well.

iResetMe is designed to allow users to reset their own passwords, thereby alleviating the IT help desk from the oft-requested task. The Kisco tool, which debuted in January of this year, lets a user establish a new password after verifying his identify by successfully answering up to five challenge questions set during the enrollment process. The product is completely Web-based and is served natively from the IBM i OS using the Apache HTTP server.

iResetMe has always encrypted the HTTP session between the server and the client. And now with iResetMe version 2, iResetMe can also encrypt the challenge response questions stored on the IBM i server. This would seem to be a logical feature to add, especially considering the poor password hygiene affecting many IBM i shops. It’s never a good idea to store the keys to kingdom in a public area–especially if iResetMe is controlling powerful user profiles with *ALLOBJ authorities–so hiding the challenge questions will close the door on a possible ingress point for hackers and insider threats alike.

Another major new feature in version 2 is the capability to automatically send email notifications –along with a link to begin the password reset process–when a user’s profile has been disabled and he has been locked out of the system. This will help streamline the password-reset process (and possibly cut down on calls to the help desk) when a user’s password expire. It will also encourage good password hygiene by allowing organizations to adopt more aggressive password-reset timetables while minimizing the impact on users.

The third major new feature in iResetMe is support for IBM i password levels 2 and 3, which are significantly stronger than the previously supported password levels 0 and 1. Password levels 0 and 1 are limited to 10 characters, and limited to using the letters A through Z in addition to the dollar sign ($), ampersand (@), number sign (#), and underscore (_) characters. Password level 2 supports passphrases up to 128 characters long and allows users to use any keyboard characters. Password level 2 also can tell the difference between upper case and lower case characters, a differentiation that most people have become accustomed to in their password travels (travails?) across the World Wide Web.

Kisco also added this minor new feature: During password resets, the software now presents the user with the current password rules in effect, such as the password length or the requirement to have special characters, numbers, or upper case letters. The password rules are configured in the normal way through IBM i, so iResetMe doesn’t have any control over these, but reminding users through the Web browser is a nice touch that will save users time.

The only connection iResetMe has to the IBM i password utility is through an IBM i password check API that it calls. After each check, the password is deleted. “Even a memory dump would not reveal any password information,” Kisco says.

Pricing for iResetMe has not changed, and starts at $495 for a single partition 25-user license and tops out at $1,295for a single-partition, unlimited-user license. The company also sells 50-user and 100-user licenses. The software supports i5/OS V5R4 through IBM i 7.1. For more information see www.kisco.com.