Review: Password Management: Grief Relief - InformationWeek
02:40 PM
Free Yourself from Legacy Apps
Jun 08, 2017
They've served their purpose years ago, but now they're stretching your IT budget and increasing s ...Read More>>

Review: Password Management: Grief Relief

With more users, partners, accounts, and platforms, password automation is becoming a necessity. We tested seven password-management products and granted our Tester's Choice to the one with outstanding policy creation and enforcement as well as extensive platform support.

Get Flexible

Password-management software generally lets users reset and change passwords from a browser, Windows client or by phone. When using the telephone for a reset, users enter a PIN and are walked through prompts. For shops that don't provide 24/7 helpdesk access, support for Web browsers and phones are a plus. ActivIdentity SecureLogin lacks phone support, but it does support authentication using biometrics, terminal services and VPN, as does Avatier Identity Management Server (AIMS), Courion Enterprise Provisioning Suite (EPS), M-Tech P-Synch and Passlogix v-GO Single Sign-On. Quest Password Reset Manager (PRM) provides VPN support, and the company said it will add phone support later this quarter. ASPG ReACT (Reset Enterprise Access Control Tool) provides only a Windows client and support for HTTP/HTTPS.

In addition to supporting authentication tools, like tokens or biometrics, out-of-the-box or through an SDK, self-service password-management suites authenticate employees using a series of random, predefined challenge-response questions, such as "What's your mother's maiden name?" All the products we tested ship with built-in identity questions.

To guarantee that challenge-response questions offer strong user authentication, admins typically can specify the number of questions that must be asked and answered correctly. We required that 10 questions be defined in the system, for example, but only four had to be answered properly for a reset request. While ASPG only allows up to five configurable questions, all other products could select, say, four out of our 10 questions randomly. Self-service password resets are ideal for today's mobile and dynamic workforce, but flexibility and ease of use are key. If users find the application too cumbersome or just don't understand what's happening, they won't use the product and they'll call the helpdesk, defeating the purpose. Quest's PRM was the only product we tested that didn't permit at least partial customization of the self-service site.

Users must enroll to take advantage of a self-service password product. With the products we tested, we could enroll users manually or let them enroll themselves. Manual enrollment requires an admin to answer questions for each user. We prefer to let users register themselves by answering a series of questions, but there is an inherent weakness in self-enrollment--if a user should fail to register, someone else could answer his or her questions, then change the password.

Stay Strong

Although easily guessable passwords are a security risk, requiring ultrastrong passwords doesn't mean ultrastrong security. It's a rare user who won't jot down a password like au89JQ%p4. The goal is a middle ground where you can enforce strong yet memorizable passwords while reducing resets. We aimed to impose strict passwords, but based on a flexible set of requirement rules--for example, a minimum and maximum length, mixed cases, a minimum and maximum of upper or lower case letters, and no words from the dictionary. By far, M-Tech's P-Synch offered us the richest built-in options for creating password policy rules, but ActivIdentity SecureLogin, Avatier IMS, Passlogix v-GO, and Quest PRM made strong showings as well; note that Avatier requires the purchase of its Password Bouncer as a companion to its Password Station to enforce strong passwords.

Courion also offered good flexibility options and even let us specify formats for policies. ASPG builds in a much smaller policy rule set--we needed to edit or create ActiveX scripts using ASPG's ActiveX Scripted System to add rules other than minimum and maximum password length, characters allowed and password case sensitivity.

When it came to enforcing our test password policies, all seven products worked like a charm.

It's also important to consider supported platforms. If you're a Windows-only shop, you'll find plenty of options. But scaling across numerous platforms, including mainframes, databases and applications like e-mail and ERP will narrow your list quite a bit. For OS support, the products from Avatier, Courion, M-Tech and Passlogix were shining stars. Following closely were those from ActivIdentity and Quest. ASPG's ReACT supports Windows Server 2000/2003 and IBM OS/390 but requires ActiveX scripting for Unix-variant integration.

Sync Up for SSO

Password synchronization can be thought of as one step down from SSO. The former lets users log on to different systems with a single password, but he or she still must enter an ID and password for each application. Password synchronization usually doesn't require IT infrastructure changes because software resides on an existing server, and APIs link the software to databases, helpdesk systems and security frameworks.

SSO lets a user log on once and access multiple applications and systems. Typically, the user is authenticated at logon. When an application is open, the SSO agent seamlessly passes authentication credentials to any system to which the user has access rights. SSO technology requires its own infrastructure, including an authentication server, to validate a user's identity and permissions prior to granting or denying access. In addition, SSO software may not solve all your password-management problems. SSO's high price and manpower costs are causing the pendulum to swing back to password synchronization if your main goal is a single password (see "Is One Password a Reality?").

All the products we tested can handle password synchronization or SSO, though Avatier's and Courion's products require add-ons or partnerships. Passlogix's and ActivIdentity's have the strongest SSO implementations because both provide encrypted, secure passwords that can manage user access across applications. Users should find both simple to use.

2 of 13
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of Data and Analytics
Today's companies are differentiating themselves using data analytics, but the journey requires adjustments to people, processes, technology, and culture. 
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll