Managing passwords is still a challenge for the enterprise
Connecting state and local government leaders
Despite the growth in the use of digital certificates, passwords remain the most common credential for access control, and administrators need all the help they can get to manage them.
SAN FRANCISCO — On one hand, passwords are a simple and effective method of managing access to online resources. They are easy to deploy and policies can be implemented that require adequate complexity to ensure the needed level of security.
But they don’t really scale well. The overhead required to manage passwords for a large population of users can overwhelm a help desk, and managing large numbers of passwords can be complex for end users. The problems are magnified by requirements for complex passwords that must be regularly changed. Still, passwords are not disappearing despite the proliferation of certificates, tokens and other schemes for access management, and tools for managing them are still in evidence at this week’s RSA Security Conference.
Among the most secure password systems are those that use the principles of least privilege and need to know, which limit the user’s ability to access resources to only that which is necessary to do the job at hand, said Phil Lieberman, president of Lieberman Software Corp.
“There is no single password or single account that gets you into everything,” Lieberman said. However, such systems are seldom implemented fully. “The security people like it and the CIO and other executives like it, but most IT organizations hate the concept” because it complicates their job by requiring they obtain passwords for specific jobs that need to be done. “They find a way of not implementing it.”
At the opposite end of the password spectrum is single sign-on, a concept that could help make passwords manageable by reducing the need to have multiple passwords for multiple accounts. However, this is easier said than done.
“It’s a holy grail that no one can achieve,” said Bill Carey, vice president of business development for Siber Systems Inc. of Fairfax, Va. It is expensive and hard to implement. “What we’re finding is that people are walking away from the projects.”
Siber Systems offers a scheme for simplified password management in its Roboform tool, which remembers passwords and remembers sign-on credentials for different accounts.
A client-side version of Roboform has been around since 1999. When it “sees” a user signing in to a site or account for the fist time, it asks if it should remember the user name and password. If told yes, it stores the data, along with the URL where it was used, in an encrypted file on the PC. In the future, the user can sign on to a site by clicking on a pass card in that file.
Demand from larger organizations led Siber Systems to create an enterprise version of Roboform being exhibited at RSA.
“What we did for the enterprise version was create a policy editor,” Carey said. It allows large scale deployment to PCs and lets administrators set policies for password strength and online behavior, with white and black lists.
Those who still are juggling multiple passwords inevitably will need to have them reset, and Lieberman Software is introducing the latest version of its Account Reset Console that can help automate this task.
The console is a Web-based platform that lets users reset their own passwords when they need to be changed because of policy or when one is forgotten. Users log onto a secure portal site, authenticating themselves by password, if they still know it. If it has been forgotten, authentication is by a question and answer challenge. Although the platform can be used to direct password problems away from the help desk, it also can be used by help desks, Lieberman said.
“Not every customer wants to let people set their own passwords,” he said. “They want the help desk involved.”
Account Reset Console can be implemented on any server with credentials needed to access Active Directory. Questions and answers for the authentication challenge can be stored on a database with the console, or the console can access a separate database.
Lieberman is integrating support for RSA SecurID, which uses a password or PIN coupled with a one-time code generated by a token for two-factor authentication, into its reset console. The latest version also can be clustered to ensure high availability with failure and load balancing.
Lieberman said that inconveniences such as password management and resets always will be with us in a secure environment. Because of human nature, an appropriate level of security will always come with some trade-off, he said.