- Users have too many passwords. They cope by doing insecure things:
- Avoiding password change, which creates windows of opportunity for attackers to compromise their passwords.
- Writing down their passwords, which reduces application security to the security of the physical perimeter, or even the user's wallet.
- Choosing simple passwords, which are often also simple to guess.
- When users experience a password problem, they call the help desk.
This also creates security problems:
- The help desk may not authenticate callers reliably, so an attacker could impersonate a legitimate user and ask the help desk to reset their password. Once this is done, the attacker can sign into applications as the user and abuse the user's access rights.
- Too many help desk staff have administrative access to systems applications, just so that they can clear lockouts or reset passwords. Help desk login accounts are an attractive target for attackers. In some organizations and among many IT outsourcers, the help desk team has high turn-over, which means that many former help desk staff may retain elevated access.
- Endpoint devices may be compromised by malware, using zero-day attacks or by tricking users to install Trojans. When this is done, attackers can acquire user passwords using simple key-loggers, and abuse user access later.
The Hitachi ID Password Manager solution
Password Manager improves the security of authentication processes:
- Strong, uniform password policy:
A strong, uniform set of password composition rules and an
open-ended password history prevent the use of easily
guessed passwords and ensure that all passwords are changed
- Fewer passwords (to write down):
Password synchronization reduces the burden on users, who
can finally comply with rules against writing down their passwords.
- Authenticate users before resetting passwords:
Consistent, reliable authentication processes ensure that users
are reliably identified before accessing either self-service or
assisted password resets.
- Two-factor authentication:
User of multiple credentials can be mandated ahead of every
user interaction, blocking attacks on user accounts by convincing
the help desk to reset a victim's password.
- Secure SaaS logins:
Federated access allows two-factor authentication to be extended
to SaaS applications, not just Password Manager logins.
- No more privileged support accounts: IT support staff can be empowered to reset passwords and clear lockouts through the Password Manager portal, without direct administrative rights on every system and application.