Password Management Systems: How to Compare and Use Them
With username and password prompts coming at users with every personal and professional login, every once in a while they're bound to forget which combinations go with which access requests.
Such lapses in digital memory can send users to help desks in droves.
Gartner data shows that password-related queries account for approximately 30 percent of total call volume for multipurpose help desks, says Gregg Kreizman, a research director at the firm.
But that call volume drops by an average of 70 percent when companies use password-management tools, he says.
Password-management tools reduce the help desk burden--staff- and cost-wise--by providing a self-service reset capability for users who have forgotten their version of "open sesame," even if they've gotten locked out of the application, system or website they're trying to log in to. In addition, password-management tools speed up access to resources for users who have forgotten their passwords.
[Also learn about privileged identity management systems]
With help-desk-related costs ranging from $3 to $18 per request, Kreizman says, it's easy to understand why reducing password reset requests is a primary driver for adopting password-management tools.
But password-management tools have other benefits, too. For example, they can streamline the change process by synchronizing access across multiple systems, and they can help companies strengthen and enforce password policies.
In the dozen or so years since their introduction, password-management tools have become enterprise staples.
At Partners HealthCare System, for example, Courion's PasswordCourier tool has been helping with password management since 2007, says Mary Buonanno, director of IS support services at the healthcare provider. Specifically, she says, Partners uses the tool to manage passwords for more than 80,000 accounts on Microsoft's Active Directory and RSA's SecurID-authenticated VPN. "We needed a tool to manage all those passwords, as we obviously couldn't do that through native Windows," Buonanno says.
"While some applications have their own password stores, anything that uses Active Directory for authentication gets the benefit of having PasswordCourier for managing passwords. We think it's important to do this at the front door, and then through policy and best practices manage passwords for all those departments that own their own applications," she says.
At Flagler College in St. Augustine, Fla., the password-management use case is more limited but has no less impact.
"We needed a tool with enough intelligence so that when we changed an administrative password on a server or system it would scour the network for dependent services and update their credentials. Otherwise those services stop working, and that's really no fun," says Brendan Hourihan, director of network and desktop support services at Flagler.
Using ManageEngine's Password Manager Pro, Hourihan says he can now change administrative passwords for the college's 50 or so servers with greater ease and confidence, not to mention greater frequency.
"We'd been hesitant to change passwords before we had this tool--that's the truth--because we never knew what tied to what until something broke. And that sometimes took days to discover," he says. "Now we can change passwords every 90 days or whenever we need to, and we use Password Manager Pro to discover and update the related credentials."
Evaluating the Tools
Courion's PasswordCourier and ManageEngine's Password Manager Pro are two of many password-management tools ready for enterprise use. Others include Avatier's Password Station and Password Bouncer, Hitachi ID Systems' ID Password Manager and Omada's Password Manager.
When evaluating password-management tools, Kreizman advises companies to consider the following features:
* The ability to reset passwords on all the systems you use. This often, but not always, means Active Directory alone or in conjunction with other systems. (Also read How to do password resets right.)
* The ability to synchronize passwords across multiple systems. Most tools synch off a master repository (most commonly Active Directory) but some allow initiation from other target systems. In the latter case, an IBM AS/400 or mainframe user might be able to reset a password and propagate the change from there rather than having to initiate synchronization through Active Directory.
* Availability of self-service reset capability, most typically through a browser or from the Windows sign-on interface.
* Availability of an interactive voice-response interface, if you want to be able to use that as a self-service reset option.
* Use of a challenge-and-response mechanism that a user must complete before gaining access to the self-service reset function. The questions should help users remember their passwords but be strong enough to make discovery difficult for an attacker.
Kreizman says enterprises might also consider whether a tool provides a help-desk interface for opening, closing and tracking incidents, and whether it integrates with more advanced authentication methods, such as RSA SecurID, which Partners uses in conjunction with PasswordCourier, or voice biometrics.
While standalone password-management tools can prove their worth quickly, they've matured to a point where they're not often sold on their own any longer. More typically, they're integrated into broader access- and identity-management suites, such as CA's Access Control, Cyber-Ark Software's Privileged Identity Management Suite and Novell's Identity Manager.
"There will always be people asking about just password-management tools and policies, but more and more people will be asking about these as part of identity and access management," says Andras Cser, a principal analyst with Forrester Research.
Kreizman agrees. "We take calls on pure password-management tools consistently throughout the year, but something like tenfold fewer than the ones we take on topics like enterprise single sign-on [SSO]," he says.
The assumption, in many cases, is that password management is part and parcel of an enterprise SSO deployment. "Even if you have single sign-on to a set of target systems, you still need a reset tool for the one password that gets you in," Kreizman says.
"In terms of password management, the bottom line is that we think in terms of managing identities and not just passwords," says David Sheidlower, CISO at Health Quest, a healthcare system.
Next page: more about evaluating tools and integrating them with policies...