HVL 2001

Password Management

Using Directories to Cut Costs, Improve Productivity and

Reduce Risk

Guy Huntington, President HVLDerek Small, President Nulli Secundus

HVL 2001

The Issue • Password management is both expensive and a key area of risk for any enterprise

• Lost password management can occupy as much as 20-50% of a help desk’s activities– At a company we recently visited,

20 people were solely engaged in handling lost passwords

HVL 2001

Managing Passwords Is Complicated

• Password policies may require regular changes every 3-4 months

• Passwords may not be reusable for a certain period of time

• Enforcement must occur that passwords have a certain syntax

• Policies may require the password never travel in the clear

HVL 2001

Managing Passwords Is

Expensive

• Many packages require yet another database of usernames and passwords separate from the other data stores of user information

• The help desk takes the brunt of trying to placate frustrated users while enforcing password policies

• Synchronizing passwords between systems is expensive, often done manually

HVL 2001

Passwords Are

Potentially Risk Prone

• The frequency of password change forces many users to write them down beside their computer

• The syntax of the password may be prone to quick guessing by password cracking programs, malicious persons or co-workers

• Lack of single sign on means systems may be out of synch in password updating causing potential security lapses

HVL 2001

Browsers Cache

Username and Password

• The browser will supply username and password from the cache to the authenticating system during the session

• This negates re-authentication efforts for timing out the user and forcing legitimate re-authentication

• It also increases risk of masquerading attacks from an unattended computer

HVL 2001

Password Storage Is a

Potential Problem

• Password storage systems may be physically insecure and thus prone to an attack

• Password storage may not use encryption and thus be prone to electronic attack even if physically secure

• Hashing keys may be stored with a management password that itself is more prone to cracking than the hash, thus reducing the effective strength of the hash

HVL 2001

Password Transmission

Is Also a Problem

• A password may be physically and electronically secure during storage but prone to an attack during transmission

• Man in the middle attacks may decipher passwords if sent in the clear

• It’s getting more complicated with the proliferation of wireless devices requiring password based authentication

HVL 2001

Authentication & Trust

• Authentication is the key to our knowledge, transaction, network and information system doors

• While other authentication methods such as smartcards, certificates and biometrics are growing, passwords will remain as the most common method of creating the first stage of trust

HVL 2001

Leveraging Your InfrastructureYou need to leverage infrastructure to create a a modern password strategy which:

Reduces riskReduces costsImproves productivityIs easy to useCan scale across applications

HVL 2001

• Directories are optimized for fast reads, rather than databases which are better for writes– They’re excellent then for

handling front-end authentication which requires lots of fast reads of usernames, passwords and other authentication schemes

Directories Are Critical

HVL 2001

Directories Are Critical

• Unlike databases, directories also have a standard for storing information – LDAP– Therefore, you can point your

many different systems to a common information store for fast reads and lookups such as username and password

HVL 2001

SSO and Directories

• The user community is frustrated by having too many passwords and usernames to remember

• Directories can act as an authentication hub for NOS’s, ERP’s, HRIS’s, data warehouses, portals and other legacy and back office applications

HVL 2001

Username Challenges• Something as simple in concept

as username can create so much grief in enterprise management

• It’s complicated because people’s names change, different systems require different syntax, globalization requires international character sets and there are so many different systems requiring usernames within the same corporation

HVL 2001

Authoritative Username• Who and what is the

authoritative source for the username?

• With system integration being an imperative, new ways of handling username are required

HVL 2001

Directories and Username

• Directories can store a global ID for the person which can be mapped to their common name and format for different systems

• This is usually approved by HR or the HRIS and then applied to other systems via the directory

HVL 2001

Passwords & Directories• Initial passwords can be

created by the NOS, placed in the directory and then modified by the user

• The password can be stored in encrypted form within the directory

HVL 2001

Passwords & Directories

• Password management features such as notification three days in advance before a password will expire, etc. can be managed from a central directory

HVL 2001

Lost Passwords & Directories

• Users can be prompted to store challenge phrases in the directory in case they forget their password

• This too can be stored in encrypted form

HVL 2001

• Using web based form authentication, the user can self-serve themselves when they forget a password via the form and the directory

• This avoids calls to the help desk and therefore reduces costs while improving productivity

Lost Passwords & Directories

HVL 2001

Password Security & Directories

• There’s a number of tools to ensure passwords never travel in the clear

• Within the directory, hashing algorithms can be used to ensure security

HVL 2001

Password Security & Directories

• Between the user, the web server and directory you can secure transmission by using Secure Socket Layers (SSL), Transport Layer Security (TLS), or IPSec

HVL 2001

Middleware• Directories such as iPlanet provide a

number of rich features for advance notification of password expiration, etc.

• Directories however are not by nature end user friendly and intuitive

• You need to use middleware tools providing end user ease of use while integrating the directory with your multiple authentication, authorization methods, back-office and network systems

HVL 2001

Oblix• Oblix provides a rich set of end user and

management tools to provide basic, form, certification and biometric authentication schemes

• It’s easy to configure a lost password management feature for the end user via the intranet or extranet

• Self-serve password management thus becomes a powerful cost and time saving possibility

HVL 2001

Oblix

• Oblix enables the administrator to determine who has view, modify and notify privileges for the password and username attributes

• You can thus integrate auditing and notification features to the help desk, the user’s manager, the HRIS, etc, whenever any change to the username or password occurs

• Oblix has API plugins for working with common NOS’s such as NT/2000, etc.

HVL 2001

Directories & HRIS’s• Often the HRIS, such as PeopleSoft and SAP,

will be the authoritative source for username• The username can be created within the HRIS,

then populated to the directory and picked up by other application systems from the directory

• Providing a common centralized password management system for NOS’s and HRIS/ERP’s is a big step towards the concept of single sign on

HVL 2001

The Result?By carefully considering a ldap directory solution for basic authentication, you can:

Significantly reduce costs Improve productivity Implement a single sign on solution for the

major systems Provide a unified central password

management point Reduce risk

HVL 2001

I’d Like to Learn More on How to Implement This…

Guy Huntington, HVL:• guy@hvl.net• www.hvl.net• 604-921-6797Derek Small, Nulli Secundus• derek@nulli.com• www.nulli.com• 403-270-0657