Definition of Password Synchronization
For instance, a user might have two Unix accounts, one NetWare NDS account and one Windows NT account. A Password Synchronization system is any system that helps the user change all of these passwords simultaneously, and thus keep them at the same value.
The security objectives of Password Synchronization are:
- To help users remember their passwords, so they don't write them down.
- To make it possible to control password strength across all platforms in a uniform fashion.
- To expire passwords on all systems simultaneously, rather than individually.
- Allowing front-line helpdesk staff to reset passwords without having administrative rights to systems where those passwords are stored.
Password Synchronization also reduces support costs, by:
- Helping users to remember their passwords, so they don't call the helpdesk as frequently.
- Reducing the time spent by users in password management.
- Making it possible for administrators to reset passwords on multiple systems of different types from a single screen.
- Allowing front-line helpdesk staff to reset passwords on unfamiliar platforms (e.g., mainframes, Unix systems, DBMS servers), with no special training.
While Password Synchronization indirectly affects the Authentication process, by updating Passwords, it is not directly involved in the process by which a user logs into any system. This makes it much simpler, cheaper and more reliable than Single Sign-On technologies.
Password Synchronization comes in different flavours, any of which may be combined:
- Multi-host, multi-Platform Password Change software. This is used by a user to change his own passwords, from a known current value to a desired new value. By changing multiple (or all) passwords simultaneously, the software allows users to keep them synchronized.
- Multi-host, multi-Platform Password Reset software. This is used by an administrator or helpdesk operator to set another user's passwords to a desired new value, regardless of their current value. By changing multiple (or all) passwords simultaneously, the software allows administrators to synchronize them.
- Multi-host, multi-Platform Self Reset software. This is used by a user to set his own passwords to a desired new value, regardless of their current value. To do this, the user must provide some other proof of his identity, such as some obscure personal information. By changing multiple (or all) passwords simultaneously, the software allows the user to synchronize them, and to set them to a new value in case the old value was forgotten.
- Multi-host, multi-Platform Password Propagation software. This software intercepts a native password change on one host, and forwards a matching Password Reset to the user's account on other hosts. In this way, passwords remain synchronized.