Hmm, it sounds like your company is pretty lax when it actually comes to resetting your password.
If I lock myself out of the system, I physically have to go to the IT department and have my fingerprint scanned before they will unlock it. And we have 2-step authentication at work: our CAC card and a PIN. It is conceivable that one could guess the PIN, but the card encryption is more difficult to crack--especially since I keep my card in an RFID proof sleeve when I am not using it. Yes, I do work for the government.
Sorry if I gave the wrong impression. The phone call to local IT service desk is just to unlock the account so I can try again. Screening questions to establish identity are asked Cannot reasonably go to local IT department physically as it is a 50 mile one way trip from my office to their location.
Changing the password can be done online once I am admitted to the system by entering the correct password at two separate control portals. We use CAC and PINs for routine Govt unclassified system access. Access to the VPN is two part: password and a changing random number generated from an application tied to a pre-registered verified identity.