II. Management

In general, management should ensure that formal policies and procedures have been established to govern the allocation of passwords to authorised personnel and the strong password requirements in accordance with industry standards. Such policies and procedures should be consistently implemented, either through manual processes or automated controls, across all academic / administrative divisions and information systems to enforce general users' compliance with the common practices (please refer to Section III General Users for recommended password requirements). In addition, the implementation can be further enhanced through implementing various password management technologies.

Three common practices are employed by most of the password management solutions today: 1) single sign-on technology; 2) password synchronisation; and 3) local password management.

These practices are designed to minimise the risk of password compromise because of human factors, such as passwords being written down in clear text, passwords being logged when typed at keyboards, or weak passwords created for the ease of use.

Nevertheless, these practices may also cause other security risks to which the management should pay attention during implementation.

 

Single Sign-On Technology

  • Implementation

    Single sign-on ("SSO") technology allows a user to be authenticated once and gain access to all information resources that he or she is authorised to use. The user is only required to enter the user account and password to SSO software, which performs authentication to individual resource using unique and strong passwords, and meanwhile keeps this process transparent to the user. The benefit of using SSO is that users are not required to remember multiple strong passwords for individual resources. Instead, the SSO software will enforce it automatically for them.

    There are different possible architectures for SSO technologies. One common example is to have a Kerberos-based authentication service for user authentication and a centralised database or directory service (e.g. Lightweight Directory Access Protocol Server) for the storage of authentication information for individual resources.

  • Security Concern

    The nature of SSO brings a single point of failure to users at the centralised servers hosting users' authentication credentials of individual resources. The availability of the centralised server affects the availability of all the resources which rely on the SSO services for authentication.

    The security of the centralised server is particularly important since any compromise of the server will lead to the compromise of credentials for many resources. Management should harden the centralised server and encrypt the transmission of authentication credentials to prevent this single point of failure from exploitation.

 
Reference:
http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf