There are several forms of software used to help users or organizations better manage

password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...

s: * Intended for use by a single user: **

Password manager A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Pas ...

software is used by individuals to organize and encrypt many personal passwords using a single login. This often involves the use of an

encryption key A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key ...

as well. Password managers are also referred to as password wallets. * Intended for use by a multiple users/groups of users: **

Password synchronization Password synchronization is a process, usually supported by software such as password managers, through which a user maintains a single password across multiple IT systems. Provided that all the systems enforce mutually-compatible password standa ...

software is used by organizations to arrange for different passwords, on different systems, to have the same value when they belong to the same person. **

Self-service password reset Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without c ...

software enables users who forgot their password or triggered an intruder lockout to authenticate using another mechanism and resolve their own problem, without calling an IT help desk. ** Enterprise Single signon software monitors applications launched by a user and automatically populates login IDs and passwords. ** Web single signon software intercepts user access to web applications and either inserts authentication information into the HTTP(S) stream or redirects the user to a separate page, where the user is authenticated and directed back to the original URL. ** Privileged password management (used to secure access to shared, privileged accounts).

Privileged password management

Privileged password management is a type of password management used to secure the passwords for login IDs that have elevated security privileges. This is most often done by periodically changing every such password to a new, random value. Since users and automated software processes need these passwords to function, privileged password management systems must also store these passwords and provide various mechanisms to disclose these passwords in a secure and appropriate manner. Privileged password management is related to privileged identity management.

Examples of privileged passwords

There are three main types of privileged passwords. They are used to authenticate:

Local administrator accounts

On Unix and Linux systems, the

root user In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of th ...

is a privileged login account. On Windows, the equivalent is Administrator. On SQL databases, the equivalent is sa. In general, most operating systems, databases, applications and network devices include an administrative login, used to install software, configure the system, manage users, apply patches, etc. On some systems, different privileged functions are assigned to different users, which means that there are more privileged login accounts, but each of them is less powerful.

Service accounts

On the Windows operating system, service programs execute in the context of either system (very privileged but has no password) or of a user account. When services run as a non-system user, the service control manager must provide a login ID and password to run the service program so service accounts have passwords. On Unix and Linux systems, init and inetd can launch service programs as non-privileged users without knowing their passwords so services do not normally have passwords.

Connections by one application to another

Often, one application needs to be able to connect to another, to access a service. A common example of this pattern is when a web application must log into a database to retrieve some information. These inter-application connections normally require a login ID and password and this password.

Securing privileged passwords

A privileged password management system secures privileged passwords by: * Periodically changing each password to a new random value. * Storing these values. * Protecting the stored values (e.g., using encryption and replicated storage). * Providing mechanisms to disclose these passwords to various types of participants in the system: ** IT administrators. ** Programs that launch services (e.g., service control manager on Windows). ** Applications that must connect to other applications.

Required infrastructure

A privileged password management system requires extensive infrastructure: * A mechanism to schedule password changes. * Connectors to various kinds of systems. * Mechanism to update various participants with new password values. * Extensive auditing. * Encrypted storage. * Authentication for parties that wish to retrieve password values. * Access controls and authorization to decide whether password disclosure is appropriate. * Replicated storage to ensure that hardware failure or a site disaster does not lead to loss of data.