Testimonials Blog Case Studies About Remote Support Client Resources
IT Tips · July 21, 2026

"Just Reset the Password" Is Not a Security Strategy

A weak self-service reset flow, no MFA, and a shared or reused password add up to one thing: a door anyone can walk through if they ask the right question.

Someone forgets a password, and the fix is almost always the same: reset it, hand over a new one, move on. It feels like a solved problem. It isn't - it's a workaround that quietly assumes the person asking for the reset is who they say they are, every single time.

Where it actually breaks down

Self-service reset flows built around a security question or a personal email are easier to get around than most people assume - a lot of that "secret" information isn't secret at all anymore. A helpdesk that resets a password over the phone based on a name and a request is trusting a voice, not a person. And if that account doesn't have multi-factor authentication turned on, the new password is the only thing standing between an attacker and everything in that inbox.

Layer on the habit of reusing the same password across a work account and a dozen personal ones, and a breach at some completely unrelated website can hand someone the keys to your business email without them ever touching your network directly.

What actually holds up

MFA on every account, no exceptions, closes off the single biggest gap - a stolen or guessed password alone stops being enough to get in. A real identity verification step before any reset, not just a name and a claim, keeps the reset process from becoming the weak link itself. And strong, unique passwords - ideally generated rather than remembered - remove the reused-password problem entirely.

If your team is picking their own passwords out of habit, a free password and passphrase generator is a quick way to start building better ones - you can find ours at /tools/password-generator/.

Resetting a password when someone forgets it is a support task. Making sure the right person is on the other end of that request is a security task - and it's the one that actually matters.

Not sure where you stand?

Get a free security check.

We'll take a look at how your team handles logins and resets and tell you straight where the gaps are.

More from the blog