It’s all about cached passwords…
One would think that – as IT infrastructure in every organization evolves
and more and more applications take advantage of a central LDAP directory
(in reality: this is usually Active Directory), the need for managing
passwords – at least at work – will gradually decline.
Gone are the days where every application has its own password — right?
And if that’s the case, a simple system to manage AD passwords, with
things like enrollment of security questions and self-service password
reset should be all that any company needs — right?
Increasingly, it seems that password management is becoming more
complicated, rather than less. And the complexity is not happening on
the back end, where indeed many applications are learning to externalize
at least user identification and authentication, to Kerberos, LDAP,
SAML or other mechanisms.
The problem is happening on the client side of the equation. Consider:
* Mobile Windows users continue to have cached credentials on their PC.
If they forget their password and get a password reset from the help
desk, the user will still not be able to sign on until he reconnects
to the network and to the domain.
* Lotus Notes users now increasingly deploy the Notes SSO client.
Guess what – it caches the user’s password too, so a password change
or reset made over the network, from a web browser or by the help desk,
will invalidate the SSO cache.
* What about VPN software? Most users have that too, and guess what,
most VPN clients also cache passwords on the PC.
* What about full disk encryption software? Not only is the password
cached, but it is used to protect the HDD encryption key on the master
boot record or a similar location.
I’m sure there are more scenarios that I haven’t thought of off-hand.
So what does this mean?
For starters, any “enterprise-scale” password management system needs
to include increasingly sophisticated client software to perform tasks
ranging from assisting a locked-out user at the login prompt to updating
cached Windows and Lotus Notes passwords to decrypting and re-encrypting
the key used to encrypt the hard disk.
And this client software should work with the bewildering range of client
software variations used by enterprise users – everything from Windows
2000 to Windows 7, at various patchlevels, in 32- and 64-bit versions.
And terminal services. And Citrix servers. And that’s just the Windows
And what vendors can help with this?
Not the usual “enterprise identity management” players, unfortunately.
Sun does not offer any client-side software at all. Oracle and IBM
offer a bit (GINA DLL for locked out users) but nowhere near enough
for the challenges described here. Microsoft? They *wrote* the OS,
but they are only now offering a GINA DLL, and it’s pretty weak —
nothing for cached passwords, certainly nothing for Lotus Notes, etc.
Maybe I’m biased. Here at Hitachi ID we’ve been working on these problems
for years. They aren’t easy to solve and maintaining functionality every
time Microsoft, IBM/Lotus or others change the platform is a real pain.
But it’s *our* job to deal with it, not our customers’ job.