How Password Synchronization Works#Password Synchronization is any software or network infrastructure that enables users to maintain uniform Password values on multiple Login Accounts, on multiple Host Systems.
For instance, a user might have two UNIX accounts, one NetWare NDS account and one Windows NT account. A Password Synchronization system is any system that helps the user change all of these passwords simultaneously and thus keep them at the same value.
Advantages#The security objectives of Password Synchronization are:
- To help users remember their passwords, so they don't write them down.
- To make it possible to control password strength across all platforms in a uniform fashion.
- To expire passwords on all systems simultaneously, rather than individually.
- Allowing front-line helpdesk staff to reset passwords without having administrative rights to systems where those passwords are stored.
- Enables user provisioning and enabling and disabling of users from one location.
Password Synchronization also reduces support costs, by:
- Helping users to remember their passwords, so they don't call the helpdesk as frequently.
- Reducing the time spent by users in password management.
- Making it possible for administrators to reset passwords on multiple systems of different types from a single screen.
- Allowing front-line helpdesk staff to reset passwords on unfamiliar platforms (e.g., mainframes, Unix systems, DBMS servers), with no special training.
While Password Synchronization indirectly affects the Authentication process, by updating Passwords, it is not directly involved in the process by which a user logs into any system. This makes it much simpler, cheaper and more reliable than Single Sign-On technologies.
- The Keys to the Kingdom threat where if a users password is discovered, all applications and platforms used for SSO maybe susceptible.
- If the user forgets or otherwise is unable to use SSO, then they can not use any application implementing SSO.
- Scripts and/or agents used to synchronize passwords are quite fragile often requiring frequent updates.
- The entire system is complex and difficult to install.
- The software tends to be quite expensive.
- Requires users be connected to the network.
Implementation Methods#There are two basic different implementation methodologies.
- Client based - The user's platform has an agent that updates passwords to all systems when the password is changed.
- Server based - The users password is updated by a server based agent that updates passwords to all systems when the password is changed.
Some of the disadvantages of Password Synchronization maybe overcome by using Top-Down Synchronization.