Summary
Gartner clients asking about "password management" may have in mind one of four topics covered by
Gartner research. Security and risk management leaders responsible for IAM can use this report to
identify the research pertinent to their needs.
Analysis
Despite their significant weaknesses, passwords continue to be employed in a wide variety of use cases.
Good password management can address at least some of these weaknesses or mitigate some of the
consequent risks. Gartner research covers four distinct topics that fall under the password management
banner:
Policy, standards and guidelines that set out obligations and responsibilities for end-user
password usage and administration.
Password management tools (whether stand-alone or a function of identity administration
products) that provide self-service password reset and/or password synchronization across
multiple target systems.
Privileged access management (PAM) processes and tools that manage the use (which can
involve password disclosure) of shared administrator accounts and other privileged accounts,
such as those used in "firecall" or "break-glass" scenarios.
Personal password managers that alleviate the cognitive burden on users of having to
remember long, complex or unique passwords for each of the countless web applications they
interact with by recording them in a secure, yet easily accessible, manner.
What do security and risk management leaders responsible for identity and access management ("IAM
leaders") need to know about these four topics? This report summarizes the primary issues and
pertinent Gartner research.
1
Figure 1. Four Kinds of Password Management
Research Highlights
Password Policy, Standards and Guidelines
Legacy passwords are vulnerable to a wide variety of attacks and provide the weakest authentication
method in common use. Efforts to strengthen passwords through policy can mitigate some kinds of
attacks but often degrade user experience (UX). Because regulatory requirements for passwords are
varied and inconsistent, devising a policy that satisfies all compliance requirements can be infeasible.
Because of their weaknesses, passwords alone are not an appropriate authentication method for system
administrators and other higher-risk accounts. Higher-trust authentication methods or compensating
controls 1 should be used in all but minimum-risk use cases (see "Best Practices for Selecting New
User Authentication Methods" ).
Because password confidentiality is a strict requirement, users must never disclose their passwords.
However, some technical support practices may need to change to respect nondisclosure. Passwords
should be long and complex or just very long but not so long or so complex that users are driven
to behaviors that ultimately reduce security (for instance, the well-known problem of users writing
down their passwords on sticky notes affixed to their PCs or "hidden" under items on their desks).
Password reset procedures must mitigate social engineering and other attacks against administrators.
As with any other kind of policy, leaders must clearly communicate the password policy to all users,
enumerate exceptions (which should be few), explain why they're implementing it (include the benefits
2
to the users), and enforce the policy consistently.
The following research is pertinent:
"Best Practices for Managing Passwords: End-User Policies Must Balance Risk, Compliance and
Usability Needs; Update"
By Ant Allan
A password policy that stresses password strength and other regulatory requirements may tax users and
drive behavior that actually reduces security. Follow Gartner's best practices to balance risk and
compliance needs against ease of use.
"Toolkit: Basic Password Policy, Update"
By Ant Allan
Despite their weaknesses, passwords continue to be used extensively for workforce user authentication.
Information security and IAM leaders should establish a basic password policy to reduce the risks of
password use.
3
Privileged Access Management
Privileged access management (PAM) technologies help organizations provide secured privileged
access to critical assets and meet compliance requirements by securing, managing and monitoring
privileged accounts and access. PAM tools offer features that allow users to:
Control access to privileged accounts, including shared and "firecall" (emergency access)
accounts.
Automatically randomize, manage and vault passwords and other credentials for administrative,
service and application accounts.
Provide SSO for privileged access, so credentials are not revealed.
Delegate, control and filter privileged operations that an administrator can execute.
Eliminate hard-coded passwords in accounts used by nonhuman users, such as services or
applications whether of an administrative nature or not by making them available on
demand.
Integrate with high-trust authentication products to ensure required levels of trust and
accountability.
Audit, record and monitor privileged access, commands and actions.
The tools apply to privileged access spanning a wide range of systems and infrastructure OSs,
databases, middleware and applications, network devices, hypervisors, and cloud services (that is,
infrastructure as a service [IaaS], platform as a service [PaaS] and SaaS). Although the major focus is
on managing privileged access, PAM tools are also used by some organizations to manage shared
access to nonadministrative shared accounts, such as an organization's official social media accounts.
The following research is pertinent:
"Market Guide for Privileged Access Management"
By Felix Gaehtgens and Anmol Singh
Privileged access is a major focus for security and I&O leaders looking to prevent and detect breaches,
maintain individual accountability, and increase operational efficiency. Products are consolidating
around two major patterns: managing privileged passwords and delegating privileged actions.
"Twelve Best Practices for Privileged Access Management"
By Anmol Singh and Felix Gaehtgens
Organizations need to balance significant security risks associated with privileged access against
requirements for operational efficiencies. IT operations and security leaders should use this research to
learn about best practices for effective and risk-aware privileged access management.
"Manage Service Accounts to Mitigate Security and Operational Risks"
By Felix Gaehtgens
Service accounts abound in every organization, and failing to manage them properly creates significant
security and operational risk. Security and risk management leaders should adopt the best practices,
methods and tools set out in this research to effectively mitigate those risks.
"How to Secure Remote Privileged Access for Third-Party Technicians"
4
By Felix Gaehtgens and John Girard
Most organizations granting remote privileged application or operating-system-level access to third-
party users leave gaps that introduce significant security risks. Identity and access management and
security leaders should follow these best practices to mitigate the risks.
5
the robustness, granular control, monitoring and reporting offered by a PAM tool discussed
above, and Gartner does not recommend it.
Controlling access to shared social networking accounts used for marketing purposes. However,
using a social marketing management product (see "Market Guide for Social Marketing
Management" ) can provide more robust workflow and approval capabilities.
Avoiding a personal account breach (that is, personal email, banking and social media accounts)
by any member of the executive leadership team a clear risk to the organization by
providing (and supporting) a more robust way to store their passwords.
Offering the tool as a benefit of employment to help increase users' personal security posture
(similar to endpoint protection software being offered for employees on their personal devices
as part of the organization's enterprise license agreement with that vendor).
IAM leaders should review the relevant use cases for such tools, evaluate their potential inclusion as
part of a broader SSO initiative (see the latest version of Gartner's single sign-on best practices
document in the Gartner Recommended Reading section below). They should also publish a schedule
of approved endpoint software (if any) in their password management policy. Use of such software may
be restricted by a "locked desktop configuration" policy.
A particularly important element of policy management that denotes the suitability of these tools for
corporate use is the enforcement of higher-trust authentication methods for access. Additionally,
organizations should be able to enforce minimum-strength construction rules for the master password
that are at least as strong as for any target system password.
Evidence
1 Gartner sees increasing client and broader market interest in contextual/analytic and adaptive
approaches. These exploit analytics of identity-relevant contextual data to gain higher trust in a claimed
identity without the need for additional active authentication steps. If risk is evaluated as high at the
time of access, exceeding the established level of trust, access can be blocked or a conventional, active
method can be invoked to elevate trust. Depending on the use case, network access control or other
monitoring tools can also be used to detect and respond to suspected malicious activity by blocking
access.
2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its
affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If
you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on
gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner
disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for
errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research
organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without
notice. Gartner provides information technology research and advisory services to a wide range of technology consumers,
manufacturers and sellers, and may have client relationships with, and derive revenues from, companies discussed herein.
Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or
services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may
include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors
may include senior managers of these firms or funds. Gartner research is produced independently by its research
organization without input or influence from these firms, funds or their managers. For further information on the
independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."