Enterprise password management really isn't a good idea

Enterprise password management really isn't a good idea

Summary: Being at a university and working for a government department allows me to understand this concept well. There are shared resources here, there and everywhere, provided by different people and providers, all open to a "certain type" of person - employees or students.

TOPICS: Browser, Software

An example of how the Sun system uses LDAP in its single-sign-on enterprise software for a university network.Being at a university and working for a government department allows me to understand this concept well. There are shared resources here, there and everywhere, provided by different people and providers, all open to a "certain type" of person - employees or students. By having a single sign-on (SSO) point for all of these services makes security tighter and cuts down costs. Here is one example of one we have at the University - it cuts costs, saves the IT administrators time, and increases security by not having usernames and/or passwords floating around all over the place.

Although a university is a good example of an enterprise, it can work in any existing enterprise system. Whilst the consumer product has been named Editor's Choice by PC Magazine and CNET Software of the Year, I've been playing with the enterprise software in a virtual environment and it's good.

RoboForm Enterprise converts passwords from websites, Intranet domains and suchlike into passcards, which then stored securely, are used by your browser to fill in login information. It can save information from registration details or common identity text - such as billing/shipping addresses into identities. Not only that, it can secure snippets of secure information such as ATM and cash machine PIN codes, safe combination locks and secure entry door lock codes into what they call safenotes.

Because it works on Windows, it automatically works with Internet Explorer 6 and above, but gives the option to work with Firefox which is another great part of the software. They recognise that many organisations use Firefox as an alternative, and include that functionality with their own software. One "problem" that may arise is because either Mozilla update Firefox too much, or RoboForm don't update their own software enough, it may not work with your Firefox version. I run Firefox 3.0.1 and the RoboForm software only works with major editions - Firefox 1.5 - 3.0, and presumably upwards to 3.1 when it eventually comes out, but nothing minor in-between.

menu-small.pngOnce I'd got it working in Firefox, I went about my ordinary surfing habits and as usual, right-clicked at some point. Oh I was not best pleased. RoboForm had filled up my right click menu to the point where it was almost filling the height of my screen. Any software which adds extra menus to my right-click menu or toolbars is normally a big "no-no" for me, as I like my regular software to stay pure; not in a religious evangelical way, it's more of an obsessive-compulsive way.

The program does work well though; you enter your username and password for any website, click "Save" in the toolbar, and then login as usual. Once you reach that page again, it'll tell you that you've saved data and can simply click a button to fill in the information for you. From a press release emailed to me:

RoboForm Enterprise lets companies implement a low-risk, cost effective, easy and secure password management solution.  IT Managers can completely customize RoboForm Enterprise within 15 minutes to meet the company’s password policies.

Employees enjoy the same advantages RoboForm offers consumers, but within the corporate setting: they can securely store usernames and passwords, log into web applications automatically, and complete long web forms with one click.  Users no longer have to remember a long list of passwords for different sites, rely on the web browser to keep the passwords, write their passwords down, or list them in files on their computer—none of which is secure.

policies-small.pngIT administrators are given a policy editor which allows them to customise the software to their hearts content, even allowing it to be compliant with their network password policy. By exporting it to a batch or registry file, they can roll it out to logon batch servers along with the software, to ensure the policy is met each time the user profile logs on.

Because it is designed for the client machine and therefore, the client, you can set a master password for all of your other identities and passcards. There is, however, a danger of forgetting your passwords. Let me explain.

One of my old colleagues used a password manager. It'd remember her passwords for her and she only had to type them in once. After that, they'd automatically fill the boxes for that particular domain and it'd be a piece of cake for her. Then when she decided to do some work in Starbucks round the corner, she spilt her coffee all over her laptop thus killing it. The laptop was backup to the central server store the night before, but her passwords were all saved on that computer... and forgot what her passwords were for each website, because she was so used to not using them.

Some issues I'm still not happy with:

  • The user interface isn't too great, and seems a bit too "playful" for serious enterprise software.
  • It may increase security but passwords can still be forgotten.
  • Regardless of how secure their encryption might be, there will always be a way to crack it, even though it's still highly unlikely. For the time being, I'm happy keeping passwords in my head because I know my "brain encryption" can't be broken into by anybody.
  • It saves the safenotes, passcards and identities on the local computer. Although I'm sure this can be changed, it's still not ideal in hot-desking environments or those without roaming user profiles.
  • It's expensive and an actual single sign-on server or utility using the LDAP protocol may be more efficient.
  • IT administrators and network security personnel, especially those on high-security or internal government networks would most likely prefer to be asked to reset a password every 5 minutes than to have a potentially vulnerable file full of passwords to be ripped out by a computer virus and sent somewhere.

It's not for me, and it may have its merits - but head for a single sign-on (SSO) feature in your network than an enterprise password manager, because something inevitably will go horribly wrong.

*hits uninstall*

Topics: Browser, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Lastpas password manager a new alternative to roboform et. al

    As a user of the service, lastpass has been developed to conform to user behavior making web browsing easier, faster and safer. On the security side and control side, Lastpass does all the encryption and password storage locally on your PC/Mac meaning the company doesn?t have access to your personal data/passwords - which is an improvement to legacy offerings. This appears to be a real key in keeping security and control within the user not on a server or on a website.

    Lastpass also allows you to share password protected web content with friends/colleagues more easily. Worth checking out at http://www.lastpass.com also a big review on lifehacker last week.
  • You need to see Passlogix ...seriously

    <p>Enterprise password management really isn't a good idea...with a consumer toy like RoboForm! But, try to tell that to the 10 million users of v-GO SSO by <a href="http://www.passlogix.com">Passlogix</a>.
    You can't pass judgment on an entire product category
    by reviewing one (not so great) product.</p>

    <p>If you want to make a serious claim about <a href="http://www.passlogix.com/index.php/solutions/signon/enterprise/" >enterprise password management</a>, you need to look at the category leader.</p>

    <p>by <a href="http://chaotic-flow.com">Joel York</a></p>
    <p>at <a href="http://chaotic-flow.com">Chaotic Flow</a> </p>
  • Cute Password Manager the best password manager and 1-click login software

    As a user of this product, Cute Password Manager (CPM) is a secure password management and form filling software that auto fill userIDs and passwords. CPM stores your web logins on your local machine with 256-bit AES encryption and performs a true "one click login" for you. It is a fast, easy and secure password manager. One 'Master Password' is all that is needed to access all your passwords and private information. This is a MUST HAVE software if you have several web email accounts or just web logins.

    Please check out at http://www.cutepasswordmanager.com
  • RE: Enterprise password management really isn't a good idea

    I don't use client side password managers where I work, it seems way to insecure, basically anyone with a laptop could be the weakest link to your security chain. If someone has access to your vital systems and they use a laptop to access them then someone steals the laptop your stuff is wide open, at least until the person reports the laptop and you go through and figure out what access they had.

    We use AccessManager from Novell for our stuff. It is a server based system that is integrated with LDAP and will do single sign on to just about any web site. It is not based on any client computer and it acts as several different programs. For instance, it acts as reverse proxy(accelerating your websites), semi-firewall between the Internet and your Web Servers, will SSL'ize all the content to your websites or just your login info or nothing at all if you like. It is scalable allowing for multiple reverse proxies, it is modular in the sense that the control of the system is never exposed to the Internet because it is on a different server, and it is redundant allowing standby servers if a server goes down.

    Maybe it is just me, but it seems that most major breaches in security have been when someone lost their laptop (granted the companies let the person put a database of the user info on it).

    If you are looking to just secure your web services then I would pick AM hands down, of course if you feel you have to protect everyone from sites they got on their own then it would be more hassle to AM then a client based solution.
  • RE: Enterprise password management really isn't a good idea

    Have you tried the Firefox SXIPPER? I haven't explored ALL of its benefits but it's a fantastic form filler.
  • RE: Enterprise password management really isn't a good idea

    If one person can figure out how to "manage passwords securely," then NATURALLY, another person will figure out how to get around it. Simple as that.
  • We use Secret Server

    We use Secret Server.

    It works for our team, has templates, web-based - even does advanced stuff like manages our service accounts.
  • RE: Enterprise password management really isn't a good idea

    Last time I forgot my password and tried everything i could do but failed, until I found this great tool Password Genius. It works great, and you can google it.
  • Advantages against lacuna

    Nice points are made. But such lacuna may be part of any enterprise software. The problem you mentioned here are true. But you may also agree that remembering all id and passwords is really difficult. So in my view, a good password manager is a safe option rather creating your own password creation methods and maintaining the same for a lot of sites.