Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Get More Customization and Security Features with Password Reset Server 4.1

Written by Thycotic Team

April 22nd, 2015

Password Reset Server Account Lockouts

Sometimes, users forget their password, but they think that if they just try one more time they will get the right combination. If they are lucky, it works. If they are not lucky, all those failed logon attempts add up, and they end up locking out their Active Directory account.

No one wants to be locked out of their AD account. So, Password Reset Server 4.1 now allows administrators to set a max number of login failures. Once you hit the max, Password Reset Server will display an alert that the maximum login attempts has been reached and will not allow anyone to log into the account. During this lockout time, the login screen will still be viewable, and if a user or bot continues to try to log in, Password Reset Server will log that in its audit record.

The user’s Password Reset Server account will unlock after a set amount of time, or after the user follows the password reset instructions.  Administrators can choose users and/or groups to receive an email alert whenever a Password Reset Server account is locked out. Account lockouts are audited and can also be sent to SIEM.


In case you want to make sure Password Reset Server login attempts are from a human (or the admin performing them has had enough coffee to be a human), you can add CAPTCHA challenges.

The threshold when a user has to complete a CAPTCHA challenge is customizable, and once it appears on the Password Reset Server login screen, both the CAPTCHA and the password must be submitted correctly for ultimate login success. This adds security against password guessing attacks, particularly those using scripts or automation. You can also require a CAPTCHA challenge when users change their passwords, but not when resetting passwords, as the security questions are part of the password reset process.

Failing to complete a CAPTCHA challenge does not count as a login failure and cannot lock a user out of Password Reset Server. However, completing a CAPTCHA successfully, but providing the wrong password can cause a lockout.

CAPTCHA is enabled by default for new customers, but any customer who upgrades will need to configure it in the settings.


Password Reset Server enrollment used to have the option to send enrollment reminders manually. Now, you can automate the reminder emails and specifying an email interval in days.

When a user enrolls, they will still answer all of the required security questions, both individual questions and questions that are part of a group. But, when a user has to perform a password reset, they will now only have to provide an answer to one question out of a group.

The maximum characters an answer can contain is now 300 instead of 40, allowing for longer answers to questions.

Finally, an administrator can allow users to specify their own custom questions during enrollment – do this by adding the “user specified” question type to your security policy.

Other Additions to Password Reset Server 4.1

  • There is now an option to disable web services to block access to the API. This can be done on the Security tab of Configuration.
  • Expiration reports and emails now use an improved date format for better readability.
  • A Domain Controller can now be specified during configuration.



Like this post?

Get our top blog posts delivered to your inbox once a month.