Secure Password Management - Hitachi ID Password Manager
Passwords are only as good as the weakest link in the password management process. In practical deployments, the security of password management depends on more than just choosing a strong password:
- Passwords must be reasonably easy to remember, or users will either forget them or write them down.
- Passwords must change regularly, or else intruders will have too much time at their disposal to guess them.
- Passwords must be stored and transmitted in an encrypted or hashed fashion, so that they cannot be intercepted on the network or recovered from improperly secured systems or media.
- When users forget their passwords, both the user and the help desk agent must be authenticated by a process that is at least as reliable as the password it replaces, prior to the user getting service. Otherwise, intruders will simply call the help desk to reset their intended victim's password, rather than attacking the password directly.
- Administrative changes made to passwords, by help desk staff or systems administrators, must be logged, forming a sound audit trail. Otherwise, a help desk agent or system administrator could abuse a user's login ID without leaving a trace, and consequently without accountability.
- Help desk staff who are given the right to reset forgotten passwords, or to clear intruder lockouts, should not receive other privileges unless they actually need them. Help desk staff are numerous and have high turn-over, so their access should be strictly limited.
- Failed authentication attempts -- with passwords or other processes, should be logged and trigger alarms and lockouts on repeated failures. Otherwise, intruders will be able to carry out prolonged attacks at their leisure.
Hitachi ID Password Manager is designed to secure the entire password management process.