Environment
Situation
Question
Some password management software such as password synchronization and password reset makes (or allows users to make) all passwords the same. How does SecureLogin approach the use of weak passwords?
Resolution
Answer
One of the main reasons organizations investigate password management solutions is security. Passwords are inherently weak. They can be guessed or hacked, are often written down, and are prone to a culture of sharing. It is common today to walk around offices and find users’ passwords written on small pieces of paper or in diaries, sitting next to or even on their computers. They write them down because they are unable to remember so many passwords. To combat this problem, users often try to use the same password for all systems. This weakens network security and compromises data on your network, so why would an organization implement this as an automated solution?
SecureLogin SSO allows different passwords for different systems and can even randomly generate them. Users only need to remember one password, but all the passwords to access applications are actually different. Because SecureLogin generates, remembers, and enters passwords, they can be complex and strong, even with unprintable characters. Users - the weak link - have been removed.
Using the same password to authenticate to all systems is a major security hole and one that reputable IT auditors and security architects will find unacceptable. Whilst some application passwords are secure and stored encrypted because they host sensitive data, other passwords are easily cracked or ""sniffed"" on the network. Some applications even keep passwords in .INI files. If someone finds out a password for one system, all they need then is their user ID for the other systems, and they’re in (in some organizations, they have the same ID on all systems and/or the User ID is remember by the application which makes it even easier to access).
This is EXACTLY how password synchronization works. Instead of the user making passwords the same manually, password synchronization automates it, propagating the weakness to all systems even if a user wouldn’t normally do so. To make matters worse, users will synchronize as many passwords as possible (especially since IT is endorsing the idea), including those for personal applications they access their home computer, which family members and friends often know the password to. Because all passwords are the same, someone who hacks, guesses or finds out (e.g. because the user told them or because it was written down) the password to the calendar or eMail for example, can logon to the Finance System and transfer money, look up someone’s personal information on the HR system, or access sensitive data. Furthermore, when a user leaves your organization, they still know (and can share or use) their passwords to access all systems.
SecureLogin improves security by allowing a user to have complex passwords that are different on all systems, without the user having to remember these passwords. SecureLogin remembers all the usernames and passwords to access applications. The passwords are different on all systems and are not synchronized. Once SecureLogin is installed, staff need only remember their password to access the network and once authenticated, they access their applications and resources with ease. This means the user only needs to remember one password, but on the actual application backend, the passwords are all different.
When an application password expires, SecureLogin can optionally randomly generate a complex password and store it, meaning users no longer know passwords to applications and cannot share them or write them down. When they leave your organization, they don’t know their application passwords. SecureLogin’s random password generation and policies, which can be centrally configured per application or for all applications, can even enforce strong passwords and password expiry on systems that don’t have the ability to do so themselves.
With SecureLogin, you can optionally eliminate passwords altogether using biometric, smartcard or token based authentication; even to applications that know nothing about them. Users wouldn’t need to know any passwords and authentication to all applications would be performed using strong proof of identity.
Note: If you want the ease of password synchronization with the security of having unique passwords for all systems, you could implement virtual password synchronization or application re-verification as described in the Knowledgebase.