Problem solve Get help with specific problems with your technologies, process and projects.

Password security vaults: Is SSO authentication better?

Password security vaults may be able to aid users in remembering many different passwords, but are they the most secure solutions? IAM expert Randall Gamby gives his recommendations on setting password technology policy.

I'm considering programs like 1password, Roboform or lastpass for our small business. What would you suggest that offers compatibility between PC and Mac programs; secures sensitive information; and, if possible, provides for multiple users, allowing certain people access to specific passwords and information? And can these programs be used on multiple computers, networked or not?

I have to say, I'm not a big fan of password security vaults. I understand the need for an easy way to help your...

users create and maintain their authentication information for many systems, but these tools are really just a Band-Aid for bad processes and non-integrated systems with local authentication. Password vaults are used to ease the burden of strict password policies that require passwords that are so complex users can't remember them or have to write them down. The vaults are also used to fix the problem of too many passwords due to business applications each storing their own credentials.

Before implementing a password vault, I suggest reviewing your organizational policies. If they're too cumbersome due to short expiries or long password lengths, then they cause more of a security risk than easing up on the reins. If it's the latter case, namely of applications not being integrated, then I'd look for a single sign-on (SSO) product rather than a password vault. SSO allows the user to provide a single password to access multiple systems without having to do a lot of infrastructure changes.

In the grand scheme of identity management, SSO implementations are less risky and easier on users than maintaining a password vault and asking users to maintain multiple passwords . Also, there is not much of a cost difference between the two, as both require integration, maintenance and administration support. However, if you still want to pursue the password vault route, I think you've already found some of the better products out there for a small business, and I would probably look at lastpass, then Roboform, but would need more information to lock in a selection.

The questions that still needed to be answered are: To what end systems and operating systems are your users going? How many passwords are users storing? Who are the "certain people" you mentioned in your question? And what's your budget? Whatever you do, keep in mind that as you move toward a more integrated authentication infrastructure, password vaults are only a step along the way and shouldn't be considered a long-term solution.

For more information:

This was last published in January 2010

Dig Deeper on Password management and policy

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.