Enterprise password management really isn't a good idea

Summary:Being at a university and working for a government department allows me to understand this concept well. There are shared resources here, there and everywhere, provided by different people and providers, all open to a "certain type" of person - employees or students.

An example of how the Sun system uses LDAP in its single-sign-on enterprise software for a university network.
Being at a university and working for a government department allows me to understand this concept well. There are shared resources here, there and everywhere, provided by different people and providers, all open to a "certain type" of person - employees or students. By having a single sign-on (SSO) point for all of these services makes security tighter and cuts down costs. Here is one example of one we have at the University - it cuts costs, saves the IT administrators time, and increases security by not having usernames and/or passwords floating around all over the place.

Although a university is a good example of an enterprise, it can work in any existing enterprise system. Whilst the consumer product has been named Editor's Choice by PC Magazine and CNET Software of the Year, I've been playing with the enterprise software in a virtual environment and it's good.

RoboForm Enterprise converts passwords from websites, Intranet domains and suchlike into passcards, which then stored securely, are used by your browser to fill in login information. It can save information from registration details or common identity text - such as billing/shipping addresses into identities. Not only that, it can secure snippets of secure information such as ATM and cash machine PIN codes, safe combination locks and secure entry door lock codes into what they call safenotes.

Because it works on Windows, it automatically works with Internet Explorer 6 and above, but gives the option to work with Firefox which is another great part of the software. They recognise that many organisations use Firefox as an alternative, and include that functionality with their own software. One "problem" that may arise is because either Mozilla update Firefox too much, or RoboForm don't update their own software enough, it may not work with your Firefox version. I run Firefox 3.0.1 and the RoboForm software only works with major editions - Firefox 1.5 - 3.0, and presumably upwards to 3.1 when it eventually comes out, but nothing minor in-between.

menu-small.png
Once I'd got it working in Firefox, I went about my ordinary surfing habits and as usual, right-clicked at some point. Oh I was not best pleased. RoboForm had filled up my right click menu to the point where it was almost filling the height of my screen. Any software which adds extra menus to my right-click menu or toolbars is normally a big "no-no" for me, as I like my regular software to stay pure; not in a religious evangelical way, it's more of an obsessive-compulsive way.

The program does work well though; you enter your username and password for any website, click "Save" in the toolbar, and then login as usual. Once you reach that page again, it'll tell you that you've saved data and can simply click a button to fill in the information for you. From a press release emailed to me:

RoboForm Enterprise lets companies implement a low-risk, cost effective, easy and secure password management solution.  IT Managers can completely customize RoboForm Enterprise within 15 minutes to meet the company’s password policies.

Employees enjoy the same advantages RoboForm offers consumers, but within the corporate setting: they can securely store usernames and passwords, log into web applications automatically, and complete long web forms with one click.  Users no longer have to remember a long list of passwords for different sites, rely on the web browser to keep the passwords, write their passwords down, or list them in files on their computer—none of which is secure.

policies-small.png
IT administrators are given a policy editor which allows them to customise the software to their hearts content, even allowing it to be compliant with their network password policy. By exporting it to a batch or registry file, they can roll it out to logon batch servers along with the software, to ensure the policy is met each time the user profile logs on.

Because it is designed for the client machine and therefore, the client, you can set a master password for all of your other identities and passcards. There is, however, a danger of forgetting your passwords. Let me explain.

One of my old colleagues used a password manager. It'd remember her passwords for her and she only had to type them in once. After that, they'd automatically fill the boxes for that particular domain and it'd be a piece of cake for her. Then when she decided to do some work in Starbucks round the corner, she spilt her coffee all over her laptop thus killing it. The laptop was backup to the central server store the night before, but her passwords were all saved on that computer... and forgot what her passwords were for each website, because she was so used to not using them.

Some issues I'm still not happy with:

  • The user interface isn't too great, and seems a bit too "playful" for serious enterprise software.
  • It may increase security but passwords can still be forgotten.
  • Regardless of how secure their encryption might be, there will always be a way to crack it, even though it's still highly unlikely. For the time being, I'm happy keeping passwords in my head because I know my "brain encryption" can't be broken into by anybody.
  • It saves the safenotes, passcards and identities on the local computer. Although I'm sure this can be changed, it's still not ideal in hot-desking environments or those without roaming user profiles.
  • It's expensive and an actual single sign-on server or utility using the LDAP protocol may be more efficient.
  • IT administrators and network security personnel, especially those on high-security or internal government networks would most likely prefer to be asked to reset a password every 5 minutes than to have a potentially vulnerable file full of passwords to be ripped out by a computer virus and sent somewhere.

It's not for me, and it may have its merits - but head for a single sign-on (SSO) feature in your network than an enterprise password manager, because something inevitably will go horribly wrong.

*hits uninstall*

Topics: Browser, Software

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.