Академический Документы
Профессиональный Документы
Культура Документы
December 2010
Introduction
Every information security executive understands the problems of password fatigue and
password inflation on end users and network administrators. The irony is that so few security
managers choose to implement the most effective antidote: enterprise single sign-on (ESSO).
Most organizations have adopted other best practices for password management, from
password composition rules and password update policies to authentication of users who
request a password reset. Although procedures such as these can go a long way toward
thwarting hackers by strengthening and protecting the passwords themselves, they do not
combat the broader problem of password overload, that is, the user frustration, productivity
losses, security risks, and administrative overhead stemming from the need for users to
remember a different password for the applications required to perform their jobs.
• Store user credentials for every application in a secure, central repository for easier
management and recoverability
ESSO meets these needs better than any other technology on the market. It has been proven
for more than a decade in many of the world’s most respected organizations, from major
banks, hospitals, and businesses to the U.S. Postal Service.
This white paper outlines the business justification for ESSO deployments, the misconceptions
that have discouraged security managers from adopting the technology, and how to determine
whether your organization is an ESSO candidate.
1
Enterprise Single Sign-On: The Missing Link in Password Management
2
Enterprise Single Sign-On: The Missing Link in Password Management
remember formulas or keep a written record of their complex passwords as a memory aid. The simple
passwords are easy to hack, and the password lists are easy to steal. Either way, security is
compromised.
In ESSO environments, these issues and security risks disappear—and password quality rules can be
easily enforced—because users no longer have to carry out password protection schemes.
ESSO solutions provide the following security benefits:
• No user involvement. Unique, complex alphanumeric passwords of any length, case, or format can
be created and used for every application, database, or account logon because there is no need for
users to remember and input them. The ESSO system responds to each logon prompt without user
intervention.
• Automatic updates. The ESSO system automatically generates new passwords when the old ones
expire, ensuring that passwords change at prescribed intervals as well as adhere to whatever policies
the administrator specifies during system setup.
• Harder to hack. The random passwords that the ESSO system generates are far more secure than
user-created versions that rely on familiar words or patterns. These computer-generated passwords
cannot be easily cracked by any technology available today.
• No written lists. Each password is securely stored and encrypted in the ESSO database as well as
unknown to the employee after the initial set of user-selected passwords has expired, so there is no
user-maintained record that can be stolen.
• Safer network logon. Because users are required to remember only a single network password to
log on to the network, they are more likely to create a strong password for that one purpose.
Memorizing one complex passphrase is doable; memorizing many is not.
When deployed, ESSO becomes a core part of the information security framework and a vital adjunct
to the overall enterprise security infrastructure.
3
Enterprise Single Sign-On: The Missing Link in Password Management
of ESSO technology; however, it is playing an increasingly important role in driving ESSO adoption
and enabling enterprises to achieve all the ESSO benefits.
Enterprise Single Sign-On Does Not Offer Hackers the ”Keys to the Kingdom”
Although it is true that a single network logon password unlocks the ESSO system to enable
automated entry of individual application passwords, the barriers to hacking the logon password and
gaining access to the user’s applications are formidable.
First, as discussed earlier, users who need to remember only one password are far more likely to adhere
to strong password policies that block dictionary attacks and increase the difficulty of cracking the code
exponentially. Increasing password length by just one character can add years to the decoding effort.
Second, after cracking the network logon password, the hacker would need access to a workstation
with the ESSO software (or the software itself plus the ability to configure it with the organization’s
directory) to open the door to each application.
Organizations concerned about these highly unlikely scenarios can add an additional layer of protection
by asking for an additional passphrase (such as mother’s maiden name) or by adding strong
authentication such as smartcards, tokens, proximity badges, or biometrics.
But think about this: in all the years of ESSO deployments, there have been no reports of a “keys to
the kingdom” attack. The risk is more theoretical than real.
4
Enterprise Single Sign-On: The Missing Link in Password Management
5
Enterprise Single Sign-On: The Missing Link in Copyright © 2007, 2010, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and
Password Management the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
December 2010 warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are
Oracle Corporation formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
World Headquarters means, electronic or mechanical, for any purpose, without our prior written permission.
500 Oracle Parkway
Redwood Shores, CA 94065 Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
U.S.A.
AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices.
Worldwide Inquiries:
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license
Phone: +1.650.506.7000
and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open
Fax: +1.650.506.7200
Company, Ltd. 0410
oracle.com