Password management systems: How to compare and use them

Whether standalone or integrated into IAM suites, password management tools aim to provide both security and convenience

With username and password prompts coming at users with every personal and professional login, every once in a while they're bound to forget which combinations go with which access requests.

Such lapses in digital memory can send users to help desks in droves.

Gartner data shows that password-related queries account for approximately 30 percent of total call volume for multipurpose help desks, says Gregg Kreizman, a research director at the firm.

But that call volume drops by an average of 70 percent when companies use password-management tools, he says.

Password-management tools reduce the help desk burden—staff- and cost-wise—by providing a self-service reset capability for users who have forgotten their version of "open sesame," even if they've gotten locked out of the application, system or website they're trying to log in to. In addition, password-management tools speed up access to resources for users who have forgotten their passwords.

[Also learn about privileged identity management systems]

With help-desk-related costs ranging from $3 to $18 per request, Kreizman says, it's easy to understand why reducing password reset requests is a primary driver for adopting password-management tools.

But password-management tools have other benefits, too. For example, they can streamline the change process by synchronizing access across multiple systems, and they can help companies strengthen and enforce password policies.

Use Cases

In the dozen or so years since their introduction, password-management tools have become enterprise staples.

At Partners HealthCare System, for example, Courion's PasswordCourier tool has been helping with password management since 2007, says Mary Buonanno, director of IS support services at the healthcare provider. Specifically, she says, Partners uses the tool to manage passwords for more than 80,000 accounts on Microsoft's Active Directory and RSA's SecurID-authenticated VPN. "We needed a tool to manage all those passwords, as we obviously couldn't do that through native Windows," Buonanno says.

"While some applications have their own password stores, anything that uses Active Directory for authentication gets the benefit of having PasswordCourier for managing passwords. We think it's important to do this at the front door, and then through policy and best practices manage passwords for all those departments that own their own applications," she says.

At Flagler College in St. Augustine, Fla., the password-management use case is more limited but has no less impact.

"We needed a tool with enough intelligence so that when we changed an administrative password on a server or system it would scour the network for dependent services and update their credentials. Otherwise those services stop working, and that's really no fun," says Brendan Hourihan, director of network and desktop support services at Flagler.

Using ManageEngine's Password Manager Pro, Hourihan says he can now change administrative passwords for the college's 50 or so servers with greater ease and confidence, not to mention greater frequency.

"We'd been hesitant to change passwords before we had this tool—that's the truth—because we never knew what tied to what until something broke. And that sometimes took days to discover," he says. "Now we can change passwords every 90 days or whenever we need to, and we use Password Manager Pro to discover and update the related credentials."

Evaluating the Tools

Courion's PasswordCourier and Manage­Engine's Password Manager Pro are two of many password-management tools ready for enterprise use. Others include Avatier's Password Station and Password Bouncer, Hitachi ID Systems' ID Password Manager and Omada's Password Manager.

When evaluating password-management tools, Kreizman advises companies to consider the following features:

  • The ability to reset passwords on all the systems you use. This often, but not always, means Active Directory alone or in conjunction with other systems. (Also read How to do password resets right.)
  • The ability to synchronize passwords across multiple systems. Most tools synch off a master repository (most commonly Active Directory) but some allow initiation from other target systems. In the latter case, an IBM AS/400 or mainframe user might be able to reset a password and propagate the change from there rather than having to initiate synchronization through Active Directory.
  • Availability of self-service reset capability, most typically through a browser or from the Windows sign-on interface.
  • Availability of an interactive voice-response interface, if you want to be able to use that as a self-service reset option.
  • Use of a challenge-and-response mechanism that a user must complete before gaining access to the self-service reset function. The questions should help users remember their passwords but be strong enough to make discovery difficult for an attacker.

Kreizman says enterprises might also consider whether a tool provides a help-desk interface for opening, closing and tracking incidents, and whether it integrates with more advanced authentication methods, such as RSA SecurID, which Partners uses in conjunction with PasswordCourier, or voice biometrics.

While standalone password-management tools can prove their worth quickly, they've matured to a point where they're not often sold on their own any longer. More typically, they're integrated into broader access- and identity-management suites, such as CA's Access Control, Cyber-Ark Software's Privileged Identity Management Suite and Novell's Identity Manager.

Best of Toolbox: tool evaluation and implementation

"There will always be people asking about just password-management tools and policies, but more and more people will be asking about these as part of identity and access management," says Andras Cser, a principal analyst with Forrester Research.

Kreizman agrees. "We take calls on pure password-management tools consistently throughout the year, but something like tenfold fewer than the ones we take on topics like enterprise single sign-on [SSO]," he says.

The assumption, in many cases, is that password management is part and parcel of an enterprise SSO deployment. "Even if you have single sign-on to a set of target systems, you still need a reset tool for the one password that gets you in," Kreizman says.

"In terms of password management, the bottom line is that we think in terms of managing identities and not just passwords," says David Sheidlower, CISO at Health Quest, a healthcare system.

For that, Health Quest uses Novell's Identity Manager to create, modify and disable credentials for approximately 6,500 users accessing a variety of systems. "We use the identity management for our Windows environment -- Active Directory, electronic medical records, a physicians' portal, and even for our physical badge system," Sheidlower says, noting that employees use the badges not only for physical building access but also for logging into shared workstations. They swipe their cards, which in turn initiates a Novell SecureLogin SSO session.

"With SSO, and ID managers in general, all passwords under identity management are synchronized. So when a user changes a password in one system, it changes in all systems," Sheidlower says.

For enterprises venturing into the world of software-as-a-service (SaaS) delivery, finding a password-management tool can prove a little trickier, Cser notes.

"Synchronizing passwords or sending passwords to SaaS applications can be difficult, so we're seeing SaaS applications increasingly being able to use federated access controls or SAML," he says, referring to the Security Assertion Markup Language, an XML-based open standard for exchanging authentication data between identity and service providers.

"Alternatively," Cser says, "they're using an identity portal like Symplified, Ping Identity or Conformity [now IronStratus], or they use AD FS [Active Directory Federation Services], which supports SAML."

But the easiest and cheapest way to provide password management in a SaaS environment is to use an application that can grab passwords from the on-premise Active Directory repository, he says. If that's not possible due to security concerns or other issues, then he recommends that companies use AD FS or SAML. If none of these options work, then consider one of the identity-portal providers, Cser says.

This last option was the most feasible for Geezeo, says James Elwood, vice president of technology for the company, which provides online banking solutions for banks and credit unions.

Geezeo integrated Ping's Ping­Federate Internet SSO with a personal financial management service it sells to banks and credit unions. These organizations then integrate that service with their online customer banking tools, Elwood says.

"We had to find a simple way to get our banking customers SSO-enabled and connected with [personal financial management], which we had deployed on Amazon [Elastic Compute Cloud]," he says.

However, Geezeo was concerned that it would be impossible to build a homegrown system that would meet all of its needs, Elwood says.

"This is when we decided to find an existing password-management [or] SSO solution that was flexible enough to integrate with the various infrastructures of our customers. Ping Identity has a standards-based approach that provided us the most flexibility," he says.

With password management, Elwood says, "our goal was to synchronize passwords across platforms and applications."

Marrying Tools and Policy

No matter what type of password-management tool—standalone, integrated with an identity- and access-management suite or available through the cloud—a company chooses, it must also apply smart policies. And while an organization doesn't always need password-management tools to enforce policy, the ability to do so is often a fringe benefit of such deployments, says Ant Allan, a Gartner research vice president.

"We know that some applications don't provide a way to define password policy, and so there's no way for an organization to enforce paper policies on a per-target basis for those kinds of applications. That's where a password-management tool can have a benefit, with password changes managed centrally and policies enforced at that level before passwords get pushed down to the target systems," he says.

The Golden Rule for passwords, which Allan admits is a bit glib, is that they should be long and complex—but not too much so.

"The length and complexity of passwords creates what experts call password entropy, which is a measure of how hard it is to break a password through a cracking method. So if your goal is to provide a level of protection against automated attacks and brute-force guessing of passwords, you should avoid simple passwords that would be easy for hackers to guess," he explains.

"But once you get to a certain level of complexity, you don't get significantly more benefit against those kinds of attacks, but you do start getting problems with end users not being able to remember their passwords, and that has a number of impacts," Allan says.

"Aside from disenchanting people with security, you'll also get a higher level of calls for password resets," which is where password-management tools with self-service features came in handy, he says.

All that said, Allan suggests the following guidelines for password selection: Passwords should not contain semantic content. In other words, no words, no plain-language phrases, no names, no user IDs, no dates, no phone numbers, and so on. Passwords should include at least one lowercase and one uppercase letter and at least one number, punctuation mark or other special character.

One effective practice is called initialism, which asks users to construct passwords from the first letter of each word of a favorite phrase, song, poem or the like.

"It's really a matter of finding balance and being aware of what constraints you have within your systems," Allan says.

"For example, organizations using IBM mainframe systems, limited to eight-character passwords, would have to go through complexity rules. But within a Windows environment, where extremely long passwords are involved, you might enforce length, not complexity," he says.

[Read more practical advice in How to write good passwords]

Password expiration is another major consideration, and it's often used to comply with regulatory requirements or in accordance with standard practices, though Allan says those haven't necessarily been proven to be best practices. Ninety days seems to be the accepted expiration rule, and it's applied at Flagler, Health Quest and Partners.

"Driving to work, parking the car, changing the password—it's a part of life here," says Partners' Buonanno.

"With 80,000 users, every day almost 1,000 people get notices that it's time to change their passwords. So we're flipping 80,000 passwords every 90 days," she says.

Health Quest's Sheidlower has a word of caution for dealing with password expirations with SSO. "It's another little [lesson] that comes up when you're synchronizing passwords across multiple systems," he says. "If you're going to let your identity manager or Active Directory be the driver of passwords and you're going to have passwords expire every X days, then you have to make sure all the other systems it's managing don't expire their passwords sooner than X days because, depending on your setup, that could break the link among the different systems," Sheidlower says.

"And you never want a situation with SSO where you're trying to go through multiple layers and it hits one system that has an expired password and all the other systems don't know about that," he adds. "That'll break SSO for that user."

While password-management tools enable enhanced security, organizations shouldn't forget one other huge benefit: increased security awareness among users, Buonanno says.

"By doing this," she says, "we're bringing our users along so they now feel like they're a part of making Partners a more secure computing environment."n

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)