Password Management in the Enterprise

Thursday, October 28, 2010

Robb Reck


Preface: I am not on the payroll for any vendor. This is not a paid endorsement/advertisement. I am simply sharing what I have found in my research in the Enterprise password management space.

Password management is an essential part of every organization’s security program. Even if you have a well implemented single sign on (SSO) solution, your employees will still need to remember and use passwords for new external websites.

The demands we put on our employees to remember more and more passwords, and to make those passwords more and more complex, have become unmanageable.

Consider all the rules we ask our employees to follow:

  • Passwords must be at least [X number] characters long
  • Must include special characters, capitals, numbers, etc
  • Change your passwords every [X number] of days
  • Use a different password for every system
  • Do not use a predictable pattern in your passwords
  • Don’t write your passwords down anywhere

These demands usually lead to one of two results. Either the users will write passwords down (often in a text or Word document on their computer’s desktop) or they ignore the rules and reuse passwords between systems.

Some of our more technical and security savvy users will go find a tool like Password Safe (or one of the many others like it) which does a wonderful job of giving the users a safe place to put passwords, but is very clunky in an Enterprise environment.

These types of tools do not accommodate passwords that need to be shared between users, and do not allow integration with Active Directory, or role based permissioning. And when an employee leaves the organization, those passwords are lost, potentially leaving the employer in the lurch.

There are several products that attempt to work in this space, but most of them offer SSO type functionality. While there is certainly a place for that in some organizations, it requires a very significant amount of back-end configuration by the IT department. And whenever a new application gets added there needs to be configuration changes to support it.

What I want is a tool that works like Password Safe, allowing users to create and manage all their own passwords with little to no interaction from IT, but still allows centralized management and ease of deployment. After looking through dozens of tools, I have found that Thycotic software’s Secret Server meets all of my needs.

The technology really is pretty simple. The system can tie into Active Directory for authentication and group memberships.

By default, users have their own secure area where they can create as many system passwords (which this system calls “secrets”) as they want. They can either create secrets just for their own use or they can assign permissions to other users or groups in the system.

Secret Server allows users to create auto-launcher links within the secrets. These launchers will open a web browser, SSH or Remote Desktop connection to a system with the username and password pre-populated.

More, the system can be configured so that the password is not even visible if there is a launcher available. I can give you access to sign in with my account without you ever actually knowing my password.

Secret Server can also be used to automatically change passwords on a predetermined schedule. So if you don’t want to have to log into that server every 90 days to change your password, you can tell Secret Server to do it. Then when you need the password you just log in and get it.

Secret Server is not perfect. It’s got a sizable price tag. The UI leaves something to be desired, and some of the administration configuration can use a little work.

But overall it’s a powerful tool that provides users with a real option for saving their passwords in a secure location, eliminating the need to memorize dozens of 8+ character complex passwords.

In a world where security is continually becoming more onerous for our users, this tool can help stem that tide just a little bit.

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Possibly Related Articles:
Network Access Control
Passwords Network Access Control
Post Rating I Like this!
Daives bursten I have been using SplashID and there is an enterprise edition too ( It is very good tool as it is very secure and easy to handle at the same time. Cloud scalability is also available
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.