Self-service password reset

Transcription

1 Tutorials, A. Allan, R. Witty Research Note 22 December 2003 Best Practices for Managing Passwords: Tools Password self-service, synchronization and single sign-on tools reduce the administrative burden of password management and enhance security. A primary benefit, and key risk, is that users must remember only one password. Core Topic Security and Privacy: Security Management Strategies and Processes Key Issues How will enterprises arm themselves to address increasing information security risk? How will enterprises manage the complexity of authentication and access control in a highly distributed world? Passwords are the most ubiquitous authentication mechanism and will be used for at least 80 percent of enterprises' authentication needs during the next two to three years. However, because each new system can mean another user ID and password for users to remember, and may have different password formation and management rules, the password management burden on users and help desks can rapidly increase. Gartner estimates that between 10 percent and 30 percent of help desk calls are password-related some enterprises report that as many as 60 percent of their help desk calls are about passwords. In addition, users who must remember several passwords are often tempted to write the passwords down, increasing the security risk of the passwords being discovered by attackers. Many enterprises are seeking to ease the administrative burden of password management through self-service tools. In addition, password synchronization and single sign-on (SSO) can reduce the number of passwords that users must remember. Password Management Tools Password management tools generally provide one or both of two functions: Self-service password reset Automatic password synchronization Self-service password reset usually is done through Web browser interfaces or, less commonly, via interactive voice response systems. Users can reset forgotten passwords for one, many or all of the systems that they use. To do this securely, reset tools must employ an alternative identity verification mechanism, such as a set of challenge-response questions and Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 answers. Users must correctly answer each question in the set, or a random set of questions out of a larger pool. A user can, optionally, use a self-service password reset function to set the same password across all systems: this is manual synchronization. Automatic synchronization differs in that it is transparent to users. When a user resets the password on one system (often the network operating system), special software on that system detects the change and propagates it to the user's other systems. Because the user will use this new password for all systems, this approach sometimes is called consistent (or consolidated) sign-on. Consistent sign-on also can be achieved by having each system "talk" to the same authentication service. This approach is wellknown from Sun Microsystems' Network Information System (NIS) and NIS+ for Unix operating systems. A broader application across multiple operating systems and applications is through Lightweight Directory Access Protocol (LDAP). The user has only one password the LDAP password for LDAPenabled target systems. Microsoft's Active Directory can be used in this way. Examples of password management vendors include: Blockade Systems Courion M-Tech Information Technology Sun Microsystems (Waveset Technologies) SSO Tools SSO goes a step further than password synchronization: The user has only one password and after the initial logon, subsequent logons are transparent to the user. Microsoft Windows 2000 and Windows Server 2003 use Kerberos for multidomain SSO. This can be extended to other "Kerberized" applications (for example, Oracle and SAP) and to other platforms (for example, most Unix operating systems and IBM z/os mainframes). Kerberos also can be used between these systems without Windows. After the initial, primary authentication the normal Windows logon Kerberos uses cryptographic tickets to authenticate the user to other systems. The systems "consume" Kerberos tickets rather than passwords. The primary problem with Kerberos and similar approaches is that each target system has to be modified. In heterogeneous enterprises, this can kill full deployment. Therefore, most enterprise SSO (ESSO) tools interact directly with target 22 December

3 systems' logon screens, passing the user's ID, password and maybe other information to each system as the user accesses it. The tools support Windows logon panels, text screens (for Unix and mainframe terminal emulation) and HTML forms. The primary authentication mechanism may be a password that is managed by the SSO tool, or a network operating system or LDAP password. Subsequent logons may use the same password that is, the SSO tool ensures automatic password synchronization. More often, the SSO tool will negotiate the use of a different password with each system. Many SSO tools also can set random system passwords without the user's participation. The user doesn't know what the target-system passwords are, but he or she can continue to access those systems using the SSO tool. In a wholly Web-based application environment, one of three different approaches may be used: The server that performs the initial authentication can store an encrypted cookie on the user's workstation. When the user goes to another server, the server retrieves the user's credentials from the cookie without having to re-authenticate the user. Secured Web servers can sit behind a reverse proxy server. The user authenticates to this server only, and the proxy picks up the requested content or application and delivers it to the user. A new approach makes use of the Security Assertions Markup Language (SAML), which servers can use to exchange authentication requests and assertions via Extensible Markup Language (XML) messages. These Web SSO approaches are offered in portals and extranet access management products. Examples of SSO vendors include: Computer Associates Imprivata Passlogix Protocom Development Systems (licensed by Novell) Costs The licensing cost starts at about $10 per user for password management tools and about $75 per user for ESSO tools. Prices will decrease for larger numbers of users. The higher price 22 December

4 for ESSO tools reflects the need for client software and the complexities of the real-time approach. User provisioning tools, which offer password management in addition to more-complex functionality, and extranet access management tools, which offer Web SSO (and sometime limited ESSO) in addition to administrative and access control, start at about $30 per user. Benefits The key benefit of password synchronization and SSO tools is that users have only one password to remember. Therefore: They are less likely to forget their passwords and thus are less likely to call the help desk to reset their passwords. Gartner estimates a 65 percent reduction in passwordrelated calls. They are less likely to write their passwords down, thus mitigating a significant security vulnerability. A single, strong password management policy can be enforced. SSO has the additional operational benefit that users do not have to manually log on to multiple systems. Although it can be argued that this improves users' productivity, it may not always be possible for enterprises to demonstrate real improvements. For example, it's difficult to prove that a minute saved here, 30 seconds saved there, increases productivity because it depends on what users do with the time saved. Nevertheless, in some organizations where users have to log on to multiple systems at the start of the day, it may be possible to demonstrate real productivity improvements. For example, a bank reports that it saved 20 minutes per teller per day by implementing ESSO. A distinctive security benefit of ESSO is that the primary password can be arbitrarily strong. In contrast, in password synchronization, the password must be valid on all target systems and thus must conform to the weakest set of rules (short, limited character sets) of those systems. Password synchronization tools can avoid this problem by having different password policy groups, but users then would need two or more passwords. Also, by hiding target-system passwords from users, ESSO tools reduce the possibility that attackers will discover these passwords and directly target individual systems. Attackers would need users' primary passwords and access to PCs with the right client software. Passwords that users must use externally for example, for Web access to corporate canbeexposed. Finally, ESSO tools allow an enterprise to easily implement a stronger authentication mechanism across all 22 December

5 systems simultaneously, rather than having to integrate the mechanism with each individually. Risks The primary risk with self-service password reset is that identity verification questions and answers are more likely to be guessed or discovered by social-engineering methods (see "Unmasking Social-Engineering Attacks") than users' passwords, thus creating a security vulnerability. Choosing suitable questions for password reset challenge-response identity verification is a subtle art (see "Best Practices for Managing Passwords: Self- Service Q&A"). Enterprises that deploy self-service password reset tools also face the challenge of getting users to register. Users often lack the motivation to register until the first time they need to use the tool by then, it's too late. Password synchronization and SSO "put all the eggs in one basket" that is, an attacker who discovers a user's password gains entry to all systems to which that user has access. (The need for client software for ESSO will limit this vulnerability to internal attacks.) This risk is offset somewhat by the better management of a single password, which can reduce the likelihood of discovery. Key Facts: Password self-service, password synchronization and enterprise SSO tools ease the administrative burden of managing passwords and increase security by: Reducing the number of passwords that users must remember Reducing help desk call volume related to password reset requests Increasing productivity by reducing the time required to log on to multiple systems (ESSO only) Acronym Key ESSO enterprise single sign-on LDAP Lightweight Directory Access Protocol SAML Security Assertions Markup Language SSO single sign-on XML Extensible Markup Language Enabling enterprises to enforce a single, strong password management policy Bottom Line: Password management (self-service and synchronization) and single sign-on tools can yield operational benefits and ensure good password management practices. Their benefits must be weighed against their risks. 22 December