Password management
There are several forms of software used to help users or organizations better manage passwords:
- Intended for use by a single user:
- Password manager software is used by individuals to organize and encrypt many personal passwords using a single login. This often involves the use of an encryption key as well. Password managers are also referred to as password wallets.
- Intended for use by a multiple users/groups of users:
- Password synchronization software is used by organizations to arrange for different passwords, on different systems, to have the same value when they belong to the same person.
- Self-service password reset software enables users who forgot their password or triggered an intruder lockout to authenticate using another mechanism and resolve their own problem, without calling an IT help desk.
- Enterprise Single signon software monitors applications launched by a user and automatically populates login IDs and passwords.
- Web single signon software intercepts user access to web applications and either inserts authentication information into the HTTP(S) stream or redirects the user to a separate page, where the user is authenticated and directed back to the original URL.
- Privileged password management (used to secure access to shared, privileged accounts).
Privileged password management
Privileged password management is a type of password management used to secure the passwords for login IDs that have elevated security privileges. This is most often done by periodically changing every such password to a new, random value. Since users and automated software processes need these passwords to function, privileged password management systems must also store these passwords and provide various mechanisms to disclose these passwords in a secure and appropriate manner. Privileged password management is related to Privileged Identity Management.
Examples of privileged passwords
There are three main types of privileged passwords. They are used to authenticate:
Local administrator accounts
On Unix and Linux systems, the root user is a privileged login account. On Windows, the equivalent is Administrator. On SQL databases, the equivalent is sa. In general, most operating systems, databases, applications and network devices include an administrative login, used to install software, configure the system, manage users, apply patches, etc. On some systems, different privileged functions are assigned to different users, which means that there are more privileged login accounts, but each of them is less powerful.
Service accounts
On the Windows operating system, service programs execute in the context of either system (very privileged but has no password) or of a user account. When services run as a non-system user, the service control manager must provide a login ID and password to run the service program so service accounts have passwords. On Unix and Linux systems, init and inetd can launch service programs as non-privileged users without knowing their passwords so services do not normally have passwords.
Connections by one application to another
Often, one application needs to be able to connect to another, to access a service. A common example of this pattern is when a web application must log into a database to retrieve some information. These inter-application connections normally require a login ID and password and this password.
Securing privileged passwords
A privileged password management system secures privileged passwords by:
- Periodically changing each password to a new random value.
- Storing these values.
- Protecting the stored values (e.g., using encryption and replicated storage).
- Providing mechanisms to disclose these passwords to various types of participants in the system:
- IT administrators.
- Programs that launch services (e.g., service control manager on Windows).
- Applications that must connect to other applications.
Required infrastructure
A privileged password management system requires extensive infrastructure:
- A mechanism to schedule password changes.
- Connectors to various kinds of systems.
- Mechanism to update various participants with new password values.
- Extensive auditing.
- Encrypted storage.
- Authentication for parties that wish to retrieve password values.
- Access controls and authorization to decide whether password disclosure is appropriate.
- Replicated storage to ensure that hardware failure or a site disaster does not lead to loss of data.
External links
- Privileged Identity Management, IDC Defines an Identity and Access Management Submarket (from IDC but hosted by Cyber-Ark)
- Best Practices for Securing Privileged Accounts (from Hitachi ID Systems, Inc.)