Password synchronization
Encyclopedia
Password synchronization is a process, usually supported by software, through which a user maintains a single password across multiple IT systems. Provided all the systems enforce similar password standards (e.g. concerning minimum and maximum password length, complexity and re-use rules), the user can choose a new password at any time and deploy the same password across all the associated systems. If the standards vary, the user may either need to choose a password that complies with all the rules (the lowest common denominator) or this may be achieved behind the scenes within the password synchronization software (e.g. padding or truncating passwords to conform to size constraints on certain systems).
It is a type of identity management
software and it's considered as easier to implement than enterprise single sign-on (SSO), as there is no client software deployment, and user enrollment can be automated.
as they have fewer to remember.
Password synchronization may be easier to implement than enterprise single sign-on (SSO), as (with some approaches at least) there is no need to deploy client software on the target systems. However, there are security issues that may outweigh the benefits. As with most security decisions, there are cost-benefit considerations relating to the amount of security risk one is willing to accept.
Depending on the software used, password synchronization may be triggered by a password change on any one of the synchronized systems (whether initiated by the user or by password expiry on the system) and/or by the user initiating the change centrally through the software, perhaps through a web interface.
Some password synchronization systems directly reset the stored representations of the password rather than the actual password. This approach is typically only found in proprietary systems where the password storage schemes are standardized, for example provided by a single vendor. Either way, it is clearly important to reset and distribute the password or stored representations in a secure manner.
It is a type of identity management
Identity management
Identity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
software and it's considered as easier to implement than enterprise single sign-on (SSO), as there is no client software deployment, and user enrollment can be automated.
Uses
Password synchronization makes it easier for IT users to recall passwords and so manage their access to multiple systems, for example on an enterprise network. Since they only have to remember one or at most a few passwords, users are less likely to forget them or write them down, resulting in fewer calls to the IT Help Desk and less opportunity for coworkers, intruders or thieves to gain improper access. Through suitable security awareness and training activities, users can be encouraged to choose stronger passwordsPassword strength
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly...
as they have fewer to remember.
Password synchronization may be easier to implement than enterprise single sign-on (SSO), as (with some approaches at least) there is no need to deploy client software on the target systems. However, there are security issues that may outweigh the benefits. As with most security decisions, there are cost-benefit considerations relating to the amount of security risk one is willing to accept.
Security
Password synchronization is generally considered to be a relatively crude approach that is inherently less secure than well-designed and implemented single signon or password vault solutions. If the single, synchronized password is compromised (for example, if it is guessed, disclosed, determined by cryptanalysis from one of the systems, intercepted on an insecure communications path, or if the user is socially engineered into resetting it to a known value), all the systems that share that password are vulnerable to improper access. In most single signon and password vault solutions, compromise of the primary or master password (in other words, the password used to unlock access to the individual unique passwords used on other systems) also compromises all the associated systems, so of course that password must be strong and well protected in the same way. However, compromise of any individual password used on a given system does not automatically allow access to the single signon system, the password vault or the other systems, thereby limiting the impact.Depending on the software used, password synchronization may be triggered by a password change on any one of the synchronized systems (whether initiated by the user or by password expiry on the system) and/or by the user initiating the change centrally through the software, perhaps through a web interface.
Some password synchronization systems directly reset the stored representations of the password rather than the actual password. This approach is typically only found in proprietary systems where the password storage schemes are standardized, for example provided by a single vendor. Either way, it is clearly important to reset and distribute the password or stored representations in a secure manner.