Skip to main content

Previous Next PDF

Frequently Asked Questions for Security Officers

How does Hitachi ID Password Manager improve security?

Password Manager improves the security of authentication processes:

  • Strong, uniform password policy: A strong, uniform set of password composition rules and an open-ended password history prevent the use of easily guessed passwords and ensure that all passwords are changed regularly.

  • Fewer passwords (to write down): Password synchronization reduces the burden on users, who can finally comply with rules against writing down their passwords.

  • Authenticate users before resetting passwords: Consistent, reliable authentication processes ensure that users are reliably identified before accessing either self-service or assisted password resets.

  • Two-factor authentication: User of multiple credentials can be mandated ahead of every user interaction, blocking attacks on user accounts by convincing the help desk to reset a victim's password.

  • Secure SaaS logins: Federated access allows two-factor authentication to be extended to SaaS applications, not just Password Manager logins.

  • No more privileged support accounts: IT support staff can be empowered to reset passwords and clear lockouts through the Password Manager portal, without direct administrative rights on every system and application.

How does Password Manager authenticate users?

Users may authenticate into Password Manager as follows:

  • On the web portal:
    • By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc).
    • By answering security questions.
    • Using a security token (e.g., SecurID pass-code).
    • Using a smart card with PKI certificate.
    • Using Windows-integrated authentication.
    • Using a SAML or OAuth assertion issued by another server.
    • By typing a PIN that was sent to their mobile phone via SMS.

  • Using a telephone, calling an automated IVR system:
    • By keying in numeric answers to a series of security questions (e.g., employee number, date of hire, driver's license number).
    • By speaking one or more phrases, where the Password Manager server compares the new speech sample to one on record (biometric voice print verification)

  • Using a telephone, calling an IT support technician:
    • By answering a series of security questions, where the technician must type the answers into a web portal to authenticate the caller.

How does Password Manager get challenge/response data for non-password authentication?

Users can authenticate to Password Manager by answering security questions, where the data is stored in the Password Manager identity cache or on an existing system (e.g., database, directory, etc.).

If the data is stored in Password Manager, then it is normally encrypted using 256-bit AES and a private key.

If the data is stored on an existing system, then Password Manager will call a plug-in program to retrieve questions and validate answers, as required. Standard plug-in programs for LDAP and SQL are provided.

Can one user "claim" another user's login ID?

To attach an existing login account, with a non-standard ID, to their user profile, a user can enroll. This is done by entering an ID and password combination for that account into an enrollment page in the Password Manager portal.

The process to attach account IDs to a user profile is as follows:

  1. Password Manager: prompts the user to authenticate using a primary credential
  2. User: signs in, for example with AD credentials.
  3. Password Manager: validates the password against the indicated system.
  4. Password Manager: display a list of already-attached IDs. Ask for an additional IDs.

  5. User: enters his login ID and current password for a system that does not yet appear on the list.

    Note: the user does not specify which system the ID is for.

  6. Password Manager: finds instances of this ID in its database. Eliminates already-assigned IDs. Tries to connect to each remaining system with the credentials entered by the user. For systems where the login was successful, adds the system ID / login ID to the user's profile.

    repeat as necessary.

Does Password Manager transmit all sensitive data encrypted?

Data transmitted to and from Password Manager on the network is cryptographically protected, as illustrated by the following examples:

Data transmitted to/from the Password Manager server
To/From Algorithm Key length
Interactive sessions    
User browser SSL (varies) 128 bits.
Trigger password synchronization    
From Win2K/2K3 AD DC 256-bit AES 128-bit shared secret.
From z/OS    
From Unix    
From LDAP server    
Set passwords, Create/update users    
To SSH scripted target SSH Varies by SSH configuration
To Unix agent 256-bit AES 128-bit shared secret.
To z/OS task    
To RSA Authentication Manager    
To proxy server    
API Session - socket    
From calling system / IVR 256-bit AES 128-bit shared secret.
API Session - web services    
From calling system / IVR HTTPS 128 bits.
Set passwords, Create/update users    
To target system native Varies. Use proxy server when native protocol is inadequate.


Does Password Manager store all sensitive data encrypted?

Encryption is used to protect stored Password Manager data as follows:

Data stored on the Password Manager server
Data Algorithm Key
Privileged passwords, used to log into target systems 256-bit AES 128-bit random
Answers to security questions 256-bit AES 128-bit random
User old password history SSHA-512 64-bit random salt


Previous Next PDF
page top page top