Frequently Asked Questions for Hitachi ID Password Manager Users
What is Hitachi ID Password Manager?
Password Manager is an enterprise solution for managing passwords and other types of credentials. It improves the security of passwords and related IT support processes, reduces the cost of user support and improves user productivity. This is done with features such as password synchronization, self-service password reset, enterprise single sign-on, PIN resets for tokens and smart cards, enrollment of security questions and biometrics and emergency recovery of full disk encryption keys.
Password Manager reduces the cost of password management using:
- Password synchronization, which reduces the incidence of password problems for users
- Self-service password reset, which empowers users to resolve their own problems rather than calling the help desk
- Streamlined help desk password reset, to expedite resolution of password problem calls
Password Manager strengthens security by providing:
- A powerful password policy engine.
- Effective user authentication, especially prior to password resets.
- Password synchronization, to help eliminate written-down passwords.
- Delegated password reset privileges for help desk staff.
- Accountability for all password changes.
- Encryption of all transmitted passwords.
To find out more about Password Manager, visit http://Hitachi-ID.com/password-manager.
How do I synchronize my passwords?
Password Manager helps users to maintain a single password across every system, as follows:
- If transparent synchronization is deployed, whenever users change
their Windows network password, all other passwords are
- Alternately, users can synchronize all or some of their passwords from a web browser. Users sign into a Password Manager URL with their network login ID and password, type a new password and wait a few seconds for the new password to be applied to their various accounts.
Users normally receive an e-mail confirmation after password synchronization is complete, with either method.
I forgot my password -- how do I fix it?
In the event that a user forgets any of their passwords, the user can access Password Manager from a web browser (click on Password Manager on the Intranet), from their workstation login screen (type help for the login ID, leave the password field blank and press Enter), using a GINA extension DLL or service (new user interface element added to the workstation login screen), using a Windows Vista/7/8 Credential Provider (another UI extension to the login screen) or by calling the help desk phone number and dialing the menu option for a password problem (IVR).
Regardless of how the user accessed Password Manager (web, login prompt, phone), they must sign in, typically by typing their network login ID. The user will then be authenticated, typically by answering a series of security questions. Once the user has been authenticated they can select a new password for themselves. The new password will be applied to some or all of their login IDs in the next few seconds.
The user will receive an e-mail confirmation after the password reset is complete.
Why do I need to register, and how do I do it?
In some environments, users have to register with Password Manager to provide data such as security questions or to attach login IDs on systems with non-standard naming conventions to their profiles.
Password Manager manages registration automatically:
- An auto-discovery process, executed nightly, reconstructs a
master list of Password Manager users based on changes in the list of
users on one or more authoritative systems such as Active Directory,
Novell NetWare or LDAP.
- Password Manager user profiles are tested for completeness -- a minimum set
of security questions; login IDs on mandatory systems and so on.
- Users whose profiles are incomplete may be asked to register.
Password Manager normally invites users to do this by sending
e-mails to users, with instructions and an embedded URL.
- Controls are applied to limit the total number of registration
requests nightly and the minimum interval between successive
registration e-mails to a single user.
- Users register by clicking on the URL in their invitation e-mail, signing in with their network login ID and password and filling in the blanks on one or two web forms.
This process is fully automated and unattended. It is secure, since sensitive information, such as passwords or PINs, is never transmitted over an insecure channel (e-mail).
This process is configured to minimize load on the help desk and e-mail delivery system (maximum registration invitations per day).
This process is configured to minimize nuisance to individual users, by ensuring that reminders to register are not too frequent.
This process is effective and reliable, since users are reminded to register until they comply.