Skip to main content

Randomize Privileged Passwords - Hitachi ID Privileged Access Manager

Hitachi ID Privileged Access Manager secures sensitive passwords by periodically setting them to new, random values:

  1. On systems integrated via "push mode:"
    1. Periodically -- for example, every night between 3AM and 4AM.
    2. When users check accounts back in, after they are finished using them.
    3. When users request a specific password value.
    4. In the event of an urgent termination of a system administrator (randomize all passwords that person may have known).
    Note that "push mode" normally means that no software is deployed to the managed endpoint system.

  2. On systems integrated via "pull mode:"
    1. Periodically -- for example, every day.
    2. At a random time-of-day, to even out workload on the Privileged Access Manager service.
    3. Opportunistically, whenever network connectivity happens to be available from the managed endpoint to the central privileged access system.
    Note that "pull mode" implies a local agent on the managed endpoint system. This approach is useful on laptops, on rapidly provisioned/deprovisioned VMs in a cloud environment and in some isolated network segments.

Watch a Movie

Randomizing privileged passwords on laptops and other mobile devices

Play movie


  • On mobile devices, the endpoint initiates the password change process.

Key concepts:

  • Password changes initiated on the endpoint can be performed even when the device is off-site, behind a firewall, etc.
  • Randomized timing improves reliability and reduces peak transaction volume.
  • A minimal software footprint is required on the endpoint device.

Randomizing privileged passwords on fixed IT assets

Play movie


  • On servers and other fixed devices or applications, no local software is required.

Key concepts:

  • Password changes are initiated on an HiPAM server and are scheduled to happen, as often as hourly.
  • Randomized password values are stored in a secure, replicated vault at a minimum of two physical locations.
  • No software is installed on systems.

Read More:

  • Randomize Privileged Passwords:
    Privileged Access Manager periodically randomizes passwords on privileged accounts.
  • Launch Privileged Login Sessions:
    Privileged Access Manager launches login sessions to privileged accounts subject to access control policies and/or workflow approvals.
  • Limit Concurrent Administrator Logins:
    Privileged Access Manager controls how many people can sign into the same privileged account at the same time using a checkout/checkin process.
  • Record Administrator Logins:
    Privileged Access Manager can record the login sessions it launches for users to sign into privileged accounts. These recordings are both a forensic audit trail and a knowledge sharing resource.
  • Password History:
    Privileged Access Manager captures a full history of passwords for privileged accounts. This is useful when recovering servers and databases from backup media.
  • Audit Logs and Reports:
    Login sessions to privileged accounts are logged by Privileged Access Manager and visible in reports. This makes administrators accountable for changes they may make to systems and applications.
  • Eliminate Embedded Passwords:
    Privileged Access Manager allows organizations to eliminate static, plaintext passwords embedded in applications. An API allows applications to secure acquire credentials to other applications on demand.
  • Change Service Account Passwords:
    Privileged Access Manager periodically changes passwords for accounts used to run Windows services and notifies appropriate OS components, such as service control manager and scheduler, of the new password value.
page top page top