Jump to content

Password synchronization

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Jboarman (talk | contribs) at 19:17, 20 February 2010 (Types: Added third types of password sync method used between single vendor solutions). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Password synchronization is defined as any process or technology that helps users to maintain a single password that is subject to a single security policy, and changes on a single schedule across multiple systems.

It's a type of Identity management software and it's considered as easier to implement than enterprise single sign-on (SSO), as there is no client software deployment, and user enrollment can be automated.

Uses

Password synchronization is an effective mechanism for addressing password management problems on an enterprise network:

  • Users with synchronized passwords tend to remember their passwords.
  • Simpler password management means that users make significantly fewer password-related calls to the help desk.
  • Users with just one or two passwords are much less likely to write down their passwords.

Security

Some (in particular those who sell single signon systems) claim that password synchronization is less secure than single signon, since compromise of one password means compromise of all. The counter-argument is that, with single signon, compromise of the primary password (from which an encryption key is derived and used to protect all other, stored passwords) also compromises all, so the security of password synchronization and single signon is similar -- i.e., both systems depend strongly on the security of a single password, and that password must be well defended, regardless of such academic arguments.

Types

Two types of password synchronization processes are commonly available in commercial software:

  • Transparent password synchronization, triggered by a password change on an existing system. The new password is automatically forwarded to other user objects that belong to the same user, on other systems (of the same or different types).
  • Web-based password synchronization, initiated by the user with a web browser, in place of the existing native password change process. The web-based process allows the user to set multiple passwords at once.

The best form of password synchronization is one that securely synchronizes only the stored representations of the original passwords -- not by sharing the clear text password itself. For this, however, both parties must share the same password storage and verification scheme. Therefore, this feature is typically only found in proprietary forms where the password scheme is controlled by a single vendor on both ends. As standards for password storage evolve, password synchronization between vendors may begin to utilize this third and more secure synchronization type.

Password Management Project Roadmap vendor-neutral white paper about how to run a project to deploy this type of software

Retrieved from "https://en.wikipedia.org/w/index.php?title=Password_synchronization&oldid=345265574"