Four Kinds of Password Management

Published: 01 March 2017 ID: G00315602

Analyst(s): Neil Wynne, Ant Allan, Felix Gaehtgens

Summary
Gartner clients asking about "password management" may have in mind one of four topics covered by
Gartner research. Security and risk management leaders responsible for IAM can use this report to
identify the research pertinent to their needs.

Analysis
Despite their significant weaknesses, passwords continue to be employed in a wide variety of use cases.
Good password management can address at least some of these weaknesses or mitigate some of the
consequent risks. Gartner research covers four distinct topics that fall under the password management
banner:
Policy, standards and guidelines that set out obligations and responsibilities for end-user
password usage and administration.
Password management tools (whether stand-alone or a function of identity administration
products) that provide self-service password reset and/or password synchronization across
multiple target systems.
Privileged access management (PAM) processes and tools that manage the use (which can
involve password disclosure) of shared administrator accounts and other privileged accounts,
such as those used in "firecall" or "break-glass" scenarios.
Personal password managers that alleviate the cognitive burden on users of having to
remember long, complex or unique passwords for each of the countless web applications they
interact with by recording them in a secure, yet easily accessible, manner.
What do security and risk management leaders responsible for identity and access management ("IAM
leaders") need to know about these four topics? This report summarizes the primary issues and
pertinent Gartner research.

1
Figure 1. Four Kinds of Password Management

Source: Gartner (March 2017)

Research Highlights
Password Policy, Standards and Guidelines
Legacy passwords are vulnerable to a wide variety of attacks and provide the weakest authentication
method in common use. Efforts to strengthen passwords through policy can mitigate some kinds of
attacks but often degrade user experience (UX). Because regulatory requirements for passwords are
varied and inconsistent, devising a policy that satisfies all compliance requirements can be infeasible.
Because of their weaknesses, passwords alone are not an appropriate authentication method for system
administrators and other higher-risk accounts. Higher-trust authentication methods or compensating
controls 1 should be used in all but minimum-risk use cases (see "Best Practices for Selecting New
User Authentication Methods" ).
Because password confidentiality is a strict requirement, users must never disclose their passwords.
However, some technical support practices may need to change to respect nondisclosure. Passwords
should be long and complex or just very long but not so long or so complex that users are driven
to behaviors that ultimately reduce security (for instance, the well-known problem of users writing
down their passwords on sticky notes affixed to their PCs or "hidden" under items on their desks).
Password reset procedures must mitigate social engineering and other attacks against administrators.
As with any other kind of policy, leaders must clearly communicate the password policy to all users,
enumerate exceptions (which should be few), explain why they're implementing it (include the benefits

2
to the users), and enforce the policy consistently.
The following research is pertinent:
"Best Practices for Managing Passwords: End-User Policies Must Balance Risk, Compliance and
Usability Needs; Update"
By Ant Allan
A password policy that stresses password strength and other regulatory requirements may tax users and
drive behavior that actually reduces security. Follow Gartner's best practices to balance risk and
compliance needs against ease of use.
"Toolkit: Basic Password Policy, Update"
By Ant Allan
Despite their weaknesses, passwords continue to be used extensively for workforce user authentication.
Information security and IAM leaders should establish a basic password policy to reduce the risks of
password use.

Password Management Tools

Password management (PM) tools provide users with the means to reset their own accounts after a
lockout or when they forget their passwords. PM tools can also synchronize passwords for users across
multiple systems, allowing users to access many applications with the same password.
PM tools generally perform two primary functions:
Self-service password reset (SSPR): Allows users to reset their accounts using a range of
higher-trust authentication methods (such as phone-as-a-token methods) in addition to, or in
place of, knowledge-based methods (such as Q&A methods).
Password synchronization: Captures password changes initiated with the PM tool or from
other systems (like Windows) and synchronizes the new password with integrated systems.
Although a market for stand-alone password management tools exists (see the Market Guide for
password management tools in the Gartner Recommended Reading section below), it is important to
note that basic password management functionality is increasingly included as part of products in three
other markets:
Most identity governance and administration (IGA) products include SSPR and password
synchronization as part of the broader management of accounts on target systems (see "Magic
Quadrant for Identity Governance and Administration" ).
Many access management products (such as web access management [WAM] and identity and
access management as a service [IDaaS] products) include SSPR for a limited set of target
systems in addition to their centralized authentication, single sign-on (SSO) and coarse-grained
authorization capabilities (see "Identity and Access Management as a Service Takes Its Rightful
Place as a Delivery Model Rather Than a Stand-Alone Market" for clarification on Gartner's
access management research).
IT service desk offerings may include SSPR or offer it as an optional add-on because some
organizations view this as an extension of their service desk capabilities (see "Magic Quadrant
for IT Service Support Management Tools" ).

3
Privileged Access Management
Privileged access management (PAM) technologies help organizations provide secured privileged
access to critical assets and meet compliance requirements by securing, managing and monitoring
privileged accounts and access. PAM tools offer features that allow users to:
Control access to privileged accounts, including shared and "firecall" (emergency access)
accounts.
Automatically randomize, manage and vault passwords and other credentials for administrative,
service and application accounts.
Provide SSO for privileged access, so credentials are not revealed.
Delegate, control and filter privileged operations that an administrator can execute.
Eliminate hard-coded passwords in accounts used by nonhuman users, such as services or
applications whether of an administrative nature or not by making them available on
demand.
Integrate with high-trust authentication products to ensure required levels of trust and
accountability.
Audit, record and monitor privileged access, commands and actions.
The tools apply to privileged access spanning a wide range of systems and infrastructure OSs,
databases, middleware and applications, network devices, hypervisors, and cloud services (that is,
infrastructure as a service [IaaS], platform as a service [PaaS] and SaaS). Although the major focus is
on managing privileged access, PAM tools are also used by some organizations to manage shared
access to nonadministrative shared accounts, such as an organization's official social media accounts.
The following research is pertinent:
"Market Guide for Privileged Access Management"
By Felix Gaehtgens and Anmol Singh
Privileged access is a major focus for security and I&O leaders looking to prevent and detect breaches,
maintain individual accountability, and increase operational efficiency. Products are consolidating
around two major patterns: managing privileged passwords and delegating privileged actions.
"Twelve Best Practices for Privileged Access Management"
By Anmol Singh and Felix Gaehtgens
Organizations need to balance significant security risks associated with privileged access against
requirements for operational efficiencies. IT operations and security leaders should use this research to
learn about best practices for effective and risk-aware privileged access management.
"Manage Service Accounts to Mitigate Security and Operational Risks"
By Felix Gaehtgens
Service accounts abound in every organization, and failing to manage them properly creates significant
security and operational risk. Security and risk management leaders should adopt the best practices,
methods and tools set out in this research to effectively mitigate those risks.
"How to Secure Remote Privileged Access for Third-Party Technicians"

4
By Felix Gaehtgens and John Girard
Most organizations granting remote privileged application or operating-system-level access to third-
party users leave gaps that introduce significant security risks. Identity and access management and
security leaders should follow these best practices to mitigate the risks.

Personal Password Managers

In both their personal and professional lives, users struggle with the number of long, complex and
unique passwords for the countless web and mobile applications they interact with. Remembering
multiple passwords is a widely recognized problem, but users also flounder when faced with choosing a
new password that meets complex formation rules.
Personal password managers offer a means of alleviating this cognitive burden by recording these
passwords in a secure, yet easily accessible, manner. In essence, these tools encrypt an organized
collection of data with a "master password" and, for convenience, offer form-filling functions to
provide reduced sign-on by automatically entering user IDs and passwords when appropriate.
These tools are most commonly used for web application credentials, but they can also be used as a
"digital wallet" to store other sensitive information, such as credit card numbers, Social Security
numbers and PIN codes. This data can be stored locally on a single endpoint; however, most of these
offerings include the option for users to store their encrypted data in the cloud to facilitate
synchronization across different browsers and devices. Due to the particularly sensitive nature of the
data being handled, the security capabilities of personal password managers should be evaluated
thoroughly.
Most personal password managers are consumer-focused and lack capabilities, such as centralized
administration and policy management that would make them suitable for use by e5nterprises or
smaller organizations. They are therefore out of scope for Gartner research. However, there are six
notable exceptions from vendors that have expanded upon their consumer offerings to include these
capabilities in their enterprise editions:
Dashlane's Dashlane Business
Keeper Security's Keeper Business
LastPass' LastPass Enterprise
Siber Systems' RoboForm for Business
SplashData's SplashID Safe for Teams
Zoho's Zoho Vault Enterprise
Gartner has seen several use cases where organizations are considering these enterprise-focused
offerings, including:
Providing a better user experience for employee access to business applications by enabling
reduced sign-on via form-filling functions. This helps users enter user IDs and passwords or
SSO via federation, particularly for SaaS applications. Support for federation is still nascent
and, if included at all, has primarily focused on some of the most popular SaaS applications,
such as G Suite, Microsoft Office 365 and Salesforce.
Controlling access to privileged shared accounts among IT administrators. This approach lacks

5
 the robustness, granular control, monitoring and reporting offered by a PAM tool discussed
above, and Gartner does not recommend it.
Controlling access to shared social networking accounts used for marketing purposes. However,
using a social marketing management product (see "Market Guide for Social Marketing
Management" ) can provide more robust workflow and approval capabilities.
Avoiding a personal account breach (that is, personal email, banking and social media accounts)
by any member of the executive leadership team a clear risk to the organization by
providing (and supporting) a more robust way to store their passwords.
Offering the tool as a benefit of employment to help increase users' personal security posture
(similar to endpoint protection software being offered for employees on their personal devices
as part of the organization's enterprise license agreement with that vendor).
IAM leaders should review the relevant use cases for such tools, evaluate their potential inclusion as
part of a broader SSO initiative (see the latest version of Gartner's single sign-on best practices
document in the Gartner Recommended Reading section below). They should also publish a schedule
of approved endpoint software (if any) in their password management policy. Use of such software may
be restricted by a "locked desktop configuration" policy.
A particularly important element of policy management that denotes the suitability of these tools for
corporate use is the enforcement of higher-trust authentication methods for access. Additionally,
organizations should be able to enforce minimum-strength construction rules for the master password
that are at least as strong as for any target system password.

Evidence
1 Gartner sees increasing client and broader market interest in contextual/analytic and adaptive
approaches. These exploit analytics of identity-relevant contextual data to gain higher trust in a claimed
identity without the need for additional active authentication steps. If risk is evaluated as high at the
time of access, exceeding the established level of trust, access can be blocked or a conventional, active
method can be invoked to elevate trust. Depending on the use case, network access control or other
monitoring tools can also be used to detect and respond to suspected malicious activity by blocking
access.

2017 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its
affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. If
you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on
gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner
disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for
errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research
organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without
notice. Gartner provides information technology research and advisory services to a wide range of technology consumers,
manufacturers and sellers, and may have client relationships with, and derive revenues from, companies discussed herein.
Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or
services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may
include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors
may include senior managers of these firms or funds. Gartner research is produced independently by its research
organization without input or influence from these firms, funds or their managers. For further information on the
independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity."