Password Synchronization

Passwords have become a necessary evil to many users and administrators. Although passwords are a cheap solution for securing access to an IT infrastructure and its resources, poorly chosen or managed passwords can lead to insecure environments and the compromise of corporate data or resources. In addition, because different applications and environments have specific password requirements, most users end up with several passwords. Average users who must deal with different passwords often choose identical or easy-to-remember passwords. If a user's passwords aren't easy to remember, the user might record the passwords on a handy notepad. These practices make password compromise more likely than ever.

Several approaches exist for making passwords more secure and easier to manage. Options include enforcement of strong password policies, employment of credential mapping solutions, and use of password synchronization.

Strong password policies can ensure that passwords are changed at regular intervals and that they adhere to certain complexity rules—both of which lower the chances of successful password guessing or brute force cracking-based attacks on password hashes. Credential mapping solutions map a user's credentials that are needed to access different resources to a set of primary user credentials. Successful authentication using the primary credentials transparently unlocks the other user credentials and provides single sign-on (SSO) for that particular user to the other resources.

The third approach—password synchronization—specifically targets the user and administrator problem of having to deal with different passwords. Password synchronization can significantly ease users' and administrators' lives because it reduces the problem of multiple passwords to the management and maintenance of just one password. In this article I focus on Microsoft solutions for synchronizing passwords between Active Directory (AD) and other repositories. To start with, I define password synchronization and discuss the challenges you might face when architecting a password synchronization solution.

Definition and Challenges
A password synchronization solution ensures that a user's passwords that are stored in different repositories are kept synchronized. A single synchronized password is easier to remember than multiple passwords, and users are far less prone to having problems and calling the Help desk. Users also tend to write down their single synchronized passwords less often.

Password synchronization solutions come in two flavors: one-way and bidirectional. Table 1 lists four Microsoft password synchronization solutions and their characteristics (including one-way or bidirectional). (For more information about these solutions, see the Learning Path.) One-way password synchronization solutions push password changes from a central "master" repository to a set of connected repositories—these solutions are also referred to as "password push" solutions. In bidirectional password synchronization solutions, password changes can occur in any of the connected repositories. Even though both solutions sound like simple copy operations, they pose a few interesting challenges.

One challenge arises from the fact that passwords are stored in a secure format. For example, in AD, passwords are always stored in a hashed format. Hash functions are one-way cryptographic ciphers: You can't derive the original password from a password hash. As a result, accessing a user's plaintext password under normal AD operations is impossible. Plaintext passwords are available only when the password is set (i.e., when the associated user account is created), reset by an administrator, or changed by the user. This also means that passwords can—unlike other user attributes— be synchronized only when a password set, reset, or change event occurs. Also, unless users communicate with the password synchronization solution only when they set or change their password, password synchronization solutions require special software logic that can intercept plaintext passwords when users set or change their password on an AD domain controller (DC) or a Novell NetWare directory server.

Another challenge is password complexity rules. Different repositories typically have different rules regarding password complexity. When you set up password synchronization between repositories, you must define the least common denominator set of password complexity rules for each of the connected repositories. If you don't align the password complexity rules, synchronization will fail. For security experts, this alignment of the password complexity rules is a valid reason to argue against the security of password synchronization solutions. Moreover, security experts typically aren't fond of password synchronization solutions because they think that synchronizing password credentials between the databases of different authentication authorities is dangerous. Their objections are based on the "key to the kingdom" argument: If you know a user's password, you can access other resources that are secured with the same password (as long as you know the correct user account on the target system). However, this problem shouldn't be overemphasized. Even with password synchronization, a significant barrier still exists for a malicious person to access information that's secured using a user ID/password-based authentication scheme. The user must know the single synchronized password and the correct user ID on the target system. Nevertheless, when you implement password synchronization you need to educate your users about their single synchronized password's crucial role. In addition, you must constantly remind users of the dangers of social engineering and of sharing their password with others.

Finally, bidirectional password synchronization solutions require a synchronization loop detection mechanism. Without loop detection, password synchronization would go on forever between the different repositories. This problem doesn't occur with one-way password synchronization solutions.

Using ILM or IIFP
Microsoft Identity Lifecycle Manager (ILM, formerly known as Microsoft Identity Integration Server—MIIS) is Microsoft's provisioning or identity lifecycle management software. Besides directory synchronization, account provisioning, and deprovisioning services, ILM can also provide password synchronization and management services. ILM can provide these services between a wide range of connected repositories, including AD, Active Directory Application Mode (ADAM), Exchange 2000 Server or Exchange Server 2003, and Windows NT 4.0, as well as Lotus Notes, Sun ONE Directory Server, and Novell eDirectory. The latest ILM version is ILM 2007. For more information about ILM, go to the Microsoft Identity Lifecycle Manager 2007 Web site at http://www.microsoft.com/windowsserver/ilm2007/default.mspx

Microsoft's Identity Integration Feature Pack (IIFP) can provide identity directory synchronization, account provisioning and deprovisioning, and password synchronization services—but only between AD, ADAM, and Exchange 2000 or Exchange 2003 instances. You can download this free software package from http://www.microsoft.com/downloads/details.aspx?familyid=d9143610-c04d-41c4b7ea-6f56819769d5&displaylang=en