Password management
There are several forms of software used to help users or organizations better manage passwords:
- Intended for use by a single user:
- encryption keyas well. Password managers are also referred to as password wallets.
- Intended for use by a multiple users/groups of users:
- Password synchronization software is used by organizations to arrange for different passwords, on different systems, to have the same value when they belong to the same person.
- Self-service password reset software enables users who forgot their password or triggered an intruder lockout to authenticate using another mechanism and resolve their own problem, without calling an IT help desk.
- Enterprise Single signonsoftware monitors applications launched by a user and automatically populates login IDs and passwords.
- Web single signonsoftware intercepts user access to web applications and either inserts authentication information into the HTTP(S) stream or redirects the user to a separate page, where the user is authenticated and directed back to the original URL.
- Privileged password management (used to secure access to shared, privileged accounts).
Privileged password management
Privileged password management is a type of password management used to secure the passwords for login IDs that have elevated security privileges. This is most often done by periodically changing every such password to a new, random value. Since users and automated software processes need these passwords to function, privileged password management systems must also store these passwords and provide various mechanisms to disclose these passwords in a secure and appropriate manner. Privileged password management is related to
Examples of privileged passwords
There are three main types of privileged passwords. They are used to authenticate:
Local administrator accounts
On Unix and Linux systems, the
Service accounts
On the Windows operating system, service programs execute in the context of either system (very privileged but has no password) or of a user account. When services run as a non-system user, the service control manager must provide a login ID and password to run the service program so service accounts have passwords. On Unix and Linux systems, init and inetd can launch service programs as non-privileged users without knowing their passwords so services do not normally have passwords.
Connections by one application to another
Often, one application needs to be able to connect to another, to access a service. A common example of this pattern is when a web application must log into a database to retrieve some information. These inter-application connections normally require a login ID and password and this password.
Securing privileged passwords
A privileged password management system secures privileged passwords by:
- Periodically changing each password to a new random value.
- Storing these values.
- Protecting the stored values (e.g., using encryption and replicated storage).
- Providing mechanisms to disclose these passwords to various types of participants in the system:
- IT administrators.
- Programs that launch services (e.g., service control manager on Windows).
- Applications that must connect to other applications.
Required infrastructure
A privileged password management system requires extensive infrastructure:
- A mechanism to schedule password changes.
- Connectors to various kinds of systems.
- Mechanism to update various participants with new password values.
- Extensive auditing.
- Encrypted storage.
- Authentication for parties that wish to retrieve password values.
- Access controls and authorization to decide whether password disclosure is appropriate.
- Replicated storage to ensure that hardware failure or a site disaster does not lead to loss of data.