Jump to content

Password synchronization

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by NoticeBored (talk | contribs) at 02:51, 14 October 2011 (Security). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Password synchronization is defined as any process or technology that helps users to maintain a single password that is subject to a single security policy, and changes on a single schedule across multiple systems.

It's a type of Identity management software and it's considered as easier to implement than enterprise single sign-on (SSO), as there is no client software deployment, and user enrollment can be automated.

Uses

Password synchronization makes it easier for IT users to recall and manage their access to multiple systems, for example on an enterprise network. Since they only have to remember one or at most a few passwords, users are less likely to forget them or write them down, resulting in fewer calls to the IT Help Desk and less opportunity for coworkers, intruders or thieves to gain improper access.

Security

Password synchronization is a relatively crude approach that is inherently less secure than well-designed and implemented single signon or password vault solutions. If the single, synchronized password is compromised (for example, if it is guessed, disclosed, determined by cryptanalysis from one of the systems, intercepted on an insecure communications path, or if the user is socially engineered into resetting it to a known value), all the systems that share that password are naturally vulnerable to improper access. In most single signon and password vault solutions, compromise of the primary or master password (being the password used to unlock access to the individual passwords used on other systems) also compromises all the associated systems, so of course that password must be strong and well protected. However, compromise of any individual password used on a single system does not automatically allow access to the single signon system, the password vault or the other systems, thereby limiting the impact.

Types

Two types of password synchronization processes are commonly available in commercial software:

  • Transparent password synchronization, triggered by a password change on an existing system. The new password is automatically forwarded to other user objects that belong to the same user, on other systems (of the same or different types).
  • Web-based password synchronization, initiated by the user with a web browser, in place of the existing native password change process. The web-based process allows the user to set multiple passwords at once.

The best form of password synchronization is one that securely synchronizes only the stored representations of the original passwords -- not by sharing the clear text password itself. For this, however, both parties must share the same password storage and verification scheme. Therefore, this feature is typically only found in proprietary forms where the password scheme is controlled by a single vendor on both ends. As standards for password storage evolve, password synchronization between vendors may begin to utilize this third and more secure synchronization type.

Password Management Project Roadmap vendor-neutral white paper about how to run a project to deploy this type of software

Retrieved from "https://en.wikipedia.org/w/index.php?title=Password_synchronization&oldid=455474232"