As today's organizations deploy an ever-growing number of complex systems, password management problems choke help desk systems, cause expensive delays and lost productivity, and threaten to compromise security.
Identifying the cause of these problems, and resolving them, requires the involvement of many interested parties and much strategic planning. Organizations can use a number of software products to address these issues. Selecting the right one also involves taking a number of important factors into consideration.
The first step when selecting and deploying a password management product is to conduct a needs analysis. The needs analysis should identify the problems that a password management system must solve. These should be translated into requirements which the successful vendor must meet.
Following are the most common password management problems, and a brief description of password management functionalities that are required to solve them.
Users frequently have too many passwords on too many different systems. As a result, they either forget their passwords or violate security policy in an effort to remember them.
A password management system should allow users to manage every password from a single screen, and allow users to synchronize their passwords to a single, hard-to-guess password.
Users who forget their passwords waste time on:
- Trying to log in.
- Calling the help desk.
- Waiting for service.
- Proving their identity (authenticating).
- Waiting for a password reset.
Each problem incident may consume 20-30 minutes of user time. In many organizations, users experience this problem 2-4 times annually. In a large user population, this generates a huge volume of user problems and help desk calls.
A password management system should incorporate password synchronization, which helps users to remember their passwords and thus eliminate the majority of password-related problems. It should also include a password self-reset and help desk password reset facility, to speed up the resolution of remaining password problems at the help desk.
Users who forget their passwords call the help desk, and get service. These calls normally represent 20% to 30% of total help desk call volume.
- Password synchronization can reduce the incidence of password problems.
- Self-service password resets help users resolve their own problems, rather than calling the help desk.
- A help desk password reset facility should minimize problem resolution time by:
- Integrating caller identification and authentication.
- Supporting password reset on multiple systems from a single screen.
- Automatically creating and closing call records.
In an effort to remember a large number of passwords, users may violate security policies by:
- Writing down passwords.
- Sharing passwords.
- Selecting easily remembered and guessed passwords.
- Not changing passwords.
- Reusing old passwords.
Password synchronization simplifies and automates the password change process while enforcing security procedures. A password policy engine should ensure that synchronized passwords are strong and changed regularly.
When new network systems are installed, users must be assigned new passwords. When many users are involved, creating new login IDs, assigning each of them an initial password, and securely communicating that password value to the user is a large undertaking.
This process is required in projects such as new OS deployments (for example, migrating to Windows 2000 Active Directory), new authentication services (for example, RADIUS servers supporting many firewalls), and new application deployments (for example, SAP or PeopleSoft deployments).
Password synchronization should allow administrators to assign existing users of new systems a random initial password. Users can then reset some or all of their passwords to a new, known value to gain access to new systems.