This document discusses the challenges of single sign-on systems and proposes password synchronization as an alternative. Password synchronization allows users to maintain uniform passwords across multiple login accounts and systems by enabling simultaneous password changes. This makes password management easier for users and reduces helpdesk costs compared to single sign-on, which has challenges like being an attractive target for intruders, causing service unavailability if the password server is damaged, and being complex and expensive to install.
Scanning the Internet for External Cloud Exposures via SSL Certs
Alternative to SSO: Password Sync for Multi-Account Users
1. An Alternative toSingle Sign-On
First, what are the challenges for a Single Sign-On system?
The Password server is an attractive target for Intruder's, since it contains Plaintext or
decryptable Credentials for many users and systems.
If the Password server is damaged, then many applications become unavailable. This
constitutes a major Denial of Service problem.
Scripts used to launch applications are quite fragile.
The entire system is complex and difficult to install.
The software tends to be quite expensive.
Secondly, what is the alternative?
Password Synchronization.
Password Synchronization is any software or network infrastructure that enables users to
maintain uniform Password values on multiple Login Accounts, on multiple Host System.
For instance, a user might have two Unix accounts, one SAP account and one Windows account.
A Password Synchronization systemis any systemthat helps the user change all of these
passwords simultaneously, and thus keep them at the same value.
The security objectives of Password Synchronization are:
To help users remember their passwords, so they don't write them down.
To make it possible to control password strength across all platforms in a uniform fashion.
To expire passwords on all systems simultaneously, rather than individually.
Allowing front-line helpdesk staff to reset passwords without having administrative rights to
systems where those passwords are stored.
Password Synchronization also reduces support costs, by:
Helping users to remember their passwords, so they don't call the helpdesk as frequently.
Reducing the time spent by users in password management.
Making it possible for administrators to reset passwords on multiple systems of different
types from a single screen.
Allowing front-line helpdesk staff to reset passwords on unfamiliar platforms (e.g.,
mainframes, Unix systems, DBMS servers), with no special training.
While Password Synchronization indirectly affects the Authentication process, by
updating Passwords, it is not directly involved in the process by which a user logs into any
system. This makes it much simpler, cheaper and more reliable than Single Sign-
On technologies.