Random Password Manager

Dave Kearns points to a product called Random Password Manager that can create random password for use for administrative accounts. It seems to be similar to the Secret Server product I blogged about here.

Dave talks about the use case of having the password management system give an IT administrator a clear text version of the password which the gets automatically reset to a new unknown value. This is a crude approximation of a OTP.

While this is a great idea, it is limited by the ability of the password management product’s ability to set the password directly on the specific system. For systems that use AD authentication (or other LDAP) this isn’t difficult. But for systems such as RACF, SAP, Siebel, etc, it’s very difficult for a vendor to maintain all the connectors.

If this kind of functionality gets popular, I would expect these companies to start to set up partnerships with the IdM companies that maintain connectors to all of these systems. Many of the IdM systems have SPML interfaces for invoking password changes on the managed systems.

Another aspect to this would be to integrate one of the Enterprise SSO products such as Passlogix vGo into the mix. The admin password could set in the ESS repository and replayed for the user without the user ever even seeing it.

Nishant Kaushik of Oracle has some thoughts about this here.

[Full Disclosure: I am a SW Architect for the BMC Identity Management suite which does password management, although it does not support the kinds of functionality in these products. BMC currently has no partnership with Lieberman Software or Thycotic Software. BMC does have a reselling agreement with Passlogix]

(Mirrored from TalkBMC)

3 responses to “Random Password Manager

  1. We ARE trying to set up a relationship with BMC to support Magic, Patrol, etc, but no one is returning our emails or requests to join up.


    Philip Lieberman
    Lieberman Software Corporation

  2. The idea of being able to audit access to a shared account is a good one — but the authentication is still single factor. If I understand this solution correctly, the risk of password exposure (e.g. via social engineering, sticky notes, etc.) is still there.

    If preventing unauthorized access is the goal, SysAdmin type accounts (shared or not) should ultimately be protected by strong authentication, no?


  3. The idea of the Lieberman Software password randomization solution (http://www.liebsoft.com/index.cfm/products?id=270) is to make each system’s root/administrator password different and good only for a limited amount of time. So, this solves the problem of a single compromise of a system leading to a total failure of security.

    Yes, I agree that multifactor authentication is a userful security improvement when dealing with global directory systems maintaining accounts such as Active Directory or LDAP to assure that a shared secret is not the only criteria for access.

    Of course, the extent of appropriate security is also related to the physical security of the installation as well as the value of the assets being protected.

    I forgot to mention that the password randomization is not for the normal user accounts, but for the backdoor local administrator accounts that should normally never be used except in an emergency or for special administrative tasks.

    Yes, sticky notes are not good.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s