Enterprise password management: A field guide
Everyone hates passwords, but no suitable substitute has come along. The enterprise solution for the password problem is typically single sign-on (SSO), which ties enterprise services into the directory, typically Microsoft Active Directory, so that users can have a single password.
SSO is a great thing, as far as it goes. It allows administrators to enforce many best practices through centralized policies. Administrators can force users to create new passwords periodically, enforce rules for password complexity, and require two-factor authentication in some or all cases.
But very few of us can get away with just that one password. In any moderately complex organization, many users need to maintain credentials for other systems that do not authenticate with Active Directory. Typically, users revert to their consumer habits, which likely don’t satisfy best practices and compliance requirements.
What kinds of logins don’t fit with SSO? They might be outside services, as with a small vendor, that are not worth the overhead of directory access. Large outside services, such as government tax sites, may require their own credentials. They might be internal equipment including routers and test or development servers. Real life, even in the enterprise, is full of outside connections that increase credential creep.
The best solutions for consumers are password managers, such as LastPass, 1Password, Dashlane, and RoboForm. These products create a secure, encrypted database stored in the cloud containing the user’s usernames and passwords. These password managers attempt, usually with success, to fill logon fields automatically with the right information. Through a variety of features, the tools make observance of sensible security practices possible in the breach-friendly world of Internet and device credentials.
But password managers have never caught on in a big way, except for the simpler ones integrated into the major web browsers. Using one is more complicated than just using the same three or four passwords everywhere.
As part of a sincere attempt at regulatory compliance, organizations should at least survey their users to determine the extent of unmanaged passwords on the network. The results may make adoption of a password management system desirable.
What are the best practices a password manager facilitates?
- Long, complex passwords: Most people may have trouble remembering even one long, very complex password such as "Aa7^AYg9&a6n." A password manager makes it possible to have hundreds of these and generates them for you.
- No password reuse: When there is a password breach on one site, attackers can (and do) attempt to use that password on other sites. Unique passwords for each site limits the damage, and only an automated system can handle it.
- Periodic change of passwords: On the theory that breaches aren’t always immediately evident, you should change passwords regularly. Some password managers have even automated the process on many sites.
- Make credentials available across devices: Not only are your usernames and passwords available on your mobile devices, but the app can (often) fill them in rather than making you type them on those annoying mobile keyboards. The efforts of websites to defeat attackers often impede the efforts of password managers to fill username and password form fields. In such cases, the worst that happens is that you access the browser extension menus to copy the username and passwords to the clipboard and paste them in. It’s a pain, but it’s still better than remembering and typing, or using the same password in multiple places.
- Secure storage of other data: Password managers all allow the user to store other data in the secure database. The typical consumer application is for credit card information and other sensitive personal data, and in fact password managers can also fill application form fields with this data. In an enterprise, credit card information might still be useful, but there are always other sensitive bits of information that would he handy in the secure database. Enterprise products usually allow the administrators to restrict or block this capability.
- Increased logging and reporting: Password managers log and report on events that might be missed in conventional procedural reviews or audits. In addition to the security and compliance benefits of this, they create an opportunity to find savings, as when you discover you are using only half of the accounts you are paying for with a service.
Some password managers with enterprise features provide management capabilities like those of MDM/EMM products, such as restricting logons from jailbroken or rooted devices.
This raises the issue of who administers the password manager in the enterprise. Your mobility management team and your identity and access management team may not be the same, but they certainly need at least to coordinate in the use of such a product.
Password managers on a mobile device work both better and worse than on a desktop computer. They are better because typing on a mobile device, especially typing complex passwords like "1RI9RujOKc2l," is a poor experience. When the password manager works well, it saves a great deal of time and unpleasantness while maintaining a high level of security.
When the password manager fails at stuffing the credentials into the application, retrieving the username and password from the password manager and pasting them into the site login can involve multiple round trips between the browser or application and the password manager. Because mobile software, particularly browsers, is more aggressively locked down than is desktop software, it’s more common for this field stuffing not to work.
Password manager users have a main password that controls access to the system and acts as a key for encryption of all the others. Typically, users can set the product to relieve themselves of the burden of entering the main password most of the time, for instance by making specific devices “trusted,” but of course this weakens system security.
In the enterprise versions, administration can usually set the rules for when users must enter their main password. This is a balancing act, but on mobile devices there is usually the option of using the fingerprint reader for authentication, which reduces a lot of friction in use. Some products sync with Active Directory, but only to collect provisioning information, not for SSO; so even in the enterprise product, users need a main password for the password manager.
The use of the cloud for something as sensitive as a password database might give you pause, but the security scales weigh heavily to the side of the password manager. The password database may be stored in the cloud so that it can be shared between devices and managed, but all encryption and decryption happens on the client device that is authenticating with the third-party service, limiting the attack surface of the password management system.
Because the content of these databases is hacker gold, there are constant attacks against the cloud back-ends, but none of them has ever resulted in a breach of great significance. The most the attackers can hope for is to collect encrypted password databases, the keys for which are nowhere in sight.
Everything we know about encryption says that cracking this encryption is hard enough not to be worth the trouble. There have been occasions when attackers may have accessed such data and the service forced all users to change their main passwords, something you ought to do from time to time anyway. As soon as it’s changed, the collected encrypted data is useless.
The password manager systems in the cloud do not need and do not have access to the encryption keys. In fact, if you lose your main password, the password manager company can’t help you. It’s better this way, but it does raise the possibility that mistakes or sloppiness could make certain account credentials inaccessible. There are ways to mitigate this problem by sharing passwords and periodically exporting the database for backup.
Sharing can be a useful feature both for disaster prevention and for convenience. Prudent use of groups allows you to assign credentials to users based on function and minimize the amount of management needed.
As mentioned, there are password managers built into the major web browsers. The password management features available in these browsers are weak by any standard, but especially in terms of enterprise management. Both Google Chrome and Microsoft Edge have policy settings to control password management through Group Policy, but only for enabling and disabling the password management system altogether.
LastPass allows minute control over the strength of passwords, both the main password and for specific domains of sites in the database. Admins can enable and disable individual features such as sharing, secure notes, specific two-factor authentication methods, field logging on a per-field basis, and much more.
Typical enterprise practices for management of such credentials includes a large element of looking the other way and trusting employees not to screw up. It’s always good to be able to trust your employees, and in any case, it’s necessary. However, it’s even better, and looks better in security audits, to have a secure system for the management and storage of credentials on third-party systems. If you do and then read about a major password breach at a service you use, you can at least know that you are less vulnerable than most businesses. And at most, the damage will be limited.
Enterprise password management: Lessons for leaders
- Password management software encourages and enforces strong password security.
- Integration with network policy management can improve the user experience.
- In industries with strong regulatory controls, password managers can simplify meeting the requirements.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.