Passwords are ubiquitous in every corporate environment. How a company manages these passwords plays a vital role in their overall security program. There are trade-offs that have to be considered when developing a password management system. A user can be required to have a separate password for every resource, thus minimizing the damage if one of the passwords is compromised. The downside to this is no one wants, quite reasonably, to memorize fifteen passwords. As a result users write down the passwords on sticky notes and cleverly hide them under their keyboard. On the other hand, single sign-on technology can be used to allow a user to enter one password and be able to access all the resources they need. It's easy to remember one password, but if an attacker should acquire this password there is nothing to stop them from compromising all of the systems. To manage these trade-offs there are three common approaches summarized below.
Password Synchronization
Password synchronization works much like single sign-on technology. The software eliminates the need to maintain multiple passwords by synchronizing a single password across all of the systems it operates with. This technique can be very easy on users and on the help-desk, as the need to reset forgotten passwords is drastically reduced.
Self-Service Password Reset
Self-service products give users the ability to reset their own password. By asking a user to answer security questions such as mother's maiden name, high school graduated from, or first pet's name, a user can verify their identity and reset a forgotten password on their own. This can reduce the workload for the help-desk, but does require more time and effort on the user's end should a password need to be reset.
Assisted Password Reset
Some products assist the help-desk in resetting passwords for users. When a user forgets a password, they can call the help-desk and request a password reset. The help-desk will have the user answer a series of security questions to verify their identity. It is important that the help-desk not be able to directly view a user's password as that would be a security risk. After verifying the user's identity, the help-desk can setup a one time password to allow the user to log in. The user should immediately change their password.
No comments:
Post a Comment