In-Depth

What's the Password?

Tired of resetting passwords? These four self-service solutions allow users to do it for themselves.

We all use login IDs and passwords and—at one time or another—we forget them. Sometimes, we don’t know we’ve forgotten them until after we’ve locked out our account. So what’s the process of getting passwords reset and accounts unlocked in your organization? For the typical user, it involves calling the help desk and making a formal request. This isn’t necessarily a bad thing, but it hits the bottom line in two ways: productivity and security.

First, locked-out users are unproductive until their accounts are restored. This can mean waiting on the phone for 20 minutes or longer for help. Also, a help desk that spends most of its time resetting passwords and unlocking accounts isn’t productive. By removing the responsibility for password management, most help desks can reduce their call volume.

Second, when users know that getting their passwords reset and synchronized is a hassle, they may pick simple passwords they aren’t likely to forget or pick the same password for multiple accounts. Another common problem is that users may write their passwords down on a sticky note and hide it under their keyboard or mouse pad to avoid having to call the help desk. At worst, users may log in with someone else’s ID.

Some administrators cringe at the thought of users managing their own accounts. If that’s the case with you, then read on. This article evaluates several software solutions that may make password resetting self-service more reassuring.

Most self-service password software works off the same premise. Users log onto a kiosk machine and use a Web interface to unlock their accounts. The kiosk has a user name and password that’s easy to remember, and the kiosk is locked down so only the Web application used to manage accounts can launch. From here, users can restore locked-out accounts and change their passwords for any assigned accounts. Afterward, the Web page displays a report letting them know the status of their requests.

When accessing the Web page, users enter their account name and domain name (or other requested identification). Users must be authenticated to prove it’s their account they’re trying to manage. There are typically three authentication methods used:

 Password authentication

 Third-party authentication

 Challenge/response authentication

Password authentication uses a separate password for logging into the self-service software. This password can be the same as the user’s other passwords. The problem with this is that it still leaves the possibility of the user forgetting his or her password.

Third-party authentication means a product other than the password software intercepts users’ requests and then authenticates them. It then passes this authentication information to the software, which doesn’t authenticate the user again.

I recommend challenge/response authentication. This provides better security and keeps users from calling the help desk because they forgot their self-service password. Challenge/response works by asking the user a series of random, preconfigured questions. Not all of the questions are used every time. Answering these questions correctly logs them in.

Before users can begin using self-service password software, they must be enrolled. Enrollment is the process of configuring users to verify their identity so they can manage their passwords. You can enroll users manually or users can enroll themselves. Manual enrollment requires an administrator to answer questions for each user. With self-enrollment, users register themselves by answering a series of questions. Products in this review support both manual and self-enrollment.

There are several things to consider when evaluating self-service password software. You must look at ease of use. If users can’t understand a product, they won’t use it. The platforms supported by the product are also important. If you only need to support Windows accounts, you have many options. If you need to support PeopleSoft and Oracle as well, that narrows down the list. The solution you purchase must work with all of the required platforms, or you defeat the purpose of the software.

In addition, of course, you have to consider cost. If the product you’re looking at doesn’t fit into your budget, there’s no use considering it. You must also look at the installation process. If the product takes three people months to get it installed and working in your environment, you must figure that into your cost. Also, you have to consider if it’s difficult to install, it’ll probably be difficult to support. If you’ve decided on using one authentication method over another, that must also be evaluated.

Reviewed Products

CONTROL-SA/PassPort
Pricing (including Enterprise Security Station) for 1,000 users managing five IDs each, $29,600.
BMC Software

713-918-2950
www.bmc.com

Password Station.NET
100 to 999 users, $15 per user; over 1,000 users, $12.50 per user.
Avatier Corp.
925-217-5170
www.avatier.com

ExMS Password Reset Manager
Starts at $7 per user; high-quantity discounts.
Discus Data Solutions
212-279-9090
www.discusdata.com

SecurPass-Reset
Starts at $15 per user; high-quantity discounts.
Proginet Corp.
516-248-2000
www.proginet.com

BMC Software’s CONTROL-SA/PassPort
PassPort runs as an extension of Enterprise SecurityStation (another BMC product) and uses the information stored in the Enterprise SecurityStation database. You must do a full install of Enterprise SecurityStation (ESS) v3.1. 03 before you can install PassPort. BMC Software recommends you review the configuration options before installation. Once installed, many of the options are difficult to change. To access PassPort via a Web browser, you must be running Microsoft Internet Explorer version 5.5 or 6.0 or Netscape Nav-igator version 4.7 or 6.2.

PassPort has the following hardware and software requirements:

 Windows NT 4.0 Server with Service Pack 6, Windows 2000 (any version) with SP2 or higher or Windows XP Professional. (Note that if you use Win2K or WinXP Professional, the number of people that can connect is limited to the number set in IIS.)

 500MHz

 800x600 screen resolution

 256MB RAM

 25MB free space (in addition to the space required for the Enterprise SecurityStation Windows GUI)

 IIS versions 4.0, 5.0 or 5.1

PassPort manages a myriad of platforms, including SQL Server, Exchange 2000, Win2K Active Directory, NT 4.0, CA eTrust, Digital Unix, IBM Mainframe, Novell’s EDirectory (NDS), OpenVMS, Oracle, PeopleSoft, Red Hat Linux 7.x, SUN One Directory Server (iPlanet) and Sybase.

PassPort supports password, challenge/response and third-party authentication. The PassPort password is encrypted and stored in the ESS database and supports both one- and two-way encryption.

PassPort supports both self-enrollment and manual enrollment. Challenge/response is configured during initial user enrollment. When users attempt to log onto PassPort, they’re randomly presented questions such as, “What is your pet’s name?” or “Who is your favorite author?”

There can be user-defined questions, as well as site-defined questions. User-defined questions are unique to each user, and site-defined questions are for everyone in the company. Users can add to, delete or modify their user-defined questions but not site-defined questions.

Depending on the accounts being managed, users may have to log off and back on again after changing their passwords to prevent being locked out. NT users must do this because of the way Windows caches passwords. Also, users may have a problem with multiple active sessions.

BMC's CONTROL-SA/PassPort
Figure 1. BMC’s CONTROL-SA/PassPort provides an intuitive interface for users. (Click image to view larger version.)

Using the basic features of PassPort was intuitive. For the advanced features, BMC provides great documentation. Many customization parameters listed in the manual allow the enabling or disabling of features. Because the user interface is HTML-based, it’s easy to make modifications.

Discus Data’s ExMS Password Reset Manager
ExMS Password Reset Manager (PRM) took the longest to install. It requires the schema to be extended for Exchange 2000 in the forest into which you’re installing PRM. If you’re already running Exchange 2000, this isn’t a problem. However, if you aren’t running Exchange 2000, you must extend the schema even if you don’t plan to use Exchange 2000. This is accomplished by running the Exchange 2000 setup with the forest prep switch (setup.exe /forestprep). This isn’t necessarily a bad thing, but it adds hundreds of objects—which can’t be removed—to your schema. Because the Schema Master domain controller is the only server that can write to the schema, I recommend running forest prep on it to cut back on network traffic. Remember: To edit the schema, you must be logged in as a user who’s a member of the Schema Admins group. The machine onto which you install PRM must have the Exchange administration tools.

PRM has the following hardware and software requirements:

 Win2K Server with SP1 or higher or NT 4.0 Server with SP6a

 IIS 4.0 or higher

 166MHz CPU

 64MB RAM

 80MB hard disk space

 Exchange 5.5 with SP4 or Ex-change 2000 System Manager with SP1 or higher.

PRM manages NT 4.0 domains and Win2K AD, and it supports self-enrollment and manual enrollment. To enroll, users must create a Questions and Answers Profile. This profile contains a series of questions to be used when managing accounts.

Discus Data's ExMS Password Reset Manager
Figure 2. Discus Data’s ExMS Password Reset Manager supports self-service and manual enrollment. (Click image to view larger version.)

PRM doesn’t support as many platforms out of the box as others on the market, which is why it costs less. However, this doesn’t mean PRM isn’t a good product. PRM is quite good at what it does—which is manage passwords for an NT and/or AD environment. Its interface is easy to use; and the software performs detailed logging and e-mail notifications. According to Discus Data tech support, PRM can be configured to work with any application or operating system. PRM supports password authentication along with challenge/response. Users can authenticate themselves based on their login ID, user principal name, full name, display name, first name, last name, employee ID or e-mail address. The administrator chooses how many fields must successfully be answered.

Avatier’s Password Station.NET
Avatier provides a simple setup, as there’s no additional software to load. It’s just a typical Windows installation. Installing Password Station.NET doesn’t modify the schema, which means you don’t need schema admin rights to perform the installation.

Password Station.NET has the following hardware and software requirements:

 Win2K Server SP2 or higher (must be member of an NT or AD domain)

 IIS 5.0 or higher

 233MHz CPU (1GHz or higher recommended)

 96MB RAM (1GB or higher recommended)

 300MB hard disk space

 MDAC 2.7 or higher

 Microsoft .NET extensions

Password Station.NET manages a variety of platforms out of the box, including Microsoft SQL Server (7.0 and higher), Microsoft Windows NT/AD Domain (4.0, 2000, 2003), Novell eDirectory (NDS) (5.x and higher), Digital VAX VMS, Oracle 9i (8.x and higher), Red Hat Linux (7.1 and higher) and Sun Solaris (2.6 and higher).

Password Station.NET supports self-enrollment and manual enrollment. Password events trigger e-mails that walk the user through enrollment. Non-enrolled users must use their network credentials to enroll; they must key in their domain, username and password. Optionally, you can allow integrated authentication, which uses the credentials of the user currently logged on. You can manually enroll users by importing the answers to their security questions from another source (such as a payroll database).

Avatier's Password Station.NET
Figure 3. Avatier’s Password Station.NET homepage provides numerous options for account management. (Click image to view larger version.)

Password Station. NET uses challenge/response for authentication of enrolled users. Users are asked two questions from the pool configured during enrollment. Password Station.NET ships with an XML file of 25 questions, and you can easily add new ones. The answers are encrypted with an SHA1 one-way hash and stored in the AD database or the NT 4.0 SAM.

I found myself wanting to use Password Station.NET’s Web interface rather than the other products’ because I like the way its Web page is configured.

Proginet’s SecurPass-Reset
SecurPass-Reset has two components—Web and server. The Web component services user requests, help-desk requests and software-usage monitoring. The server component communicates between the Web front end and SQL Server backend. You must install SQL 6.5 or higher, and SecurPass-Reset doesn’t support MSDE.

One complaint I have about SecurPass-Reset is the installation. I found it to be tedious, with lots of manual steps. I prefer more automated installations, as they tend to leave less room for human error and are quicker.

Installation consists of three parts: installing the server component, the Web component and SQL Server. The server component is a typical Windows installation. Installing the Web component requires manually copying files from the program directory to the scripts and wwwroot directory and configuring files with your servers’ IP addresses. Proginet provides scripts to help with the configuration of SQL. Even though the install is a bit tedious, it isn’t difficult. Proginet provides helpful documentation that walks you through each step.

SecurPass-Reset’s server component has the following hardware and software requirements:

 Win2K or NT 4.0 Server

 SQL Server 6.5 or newer

 64MB RAM

 100MB hard disk space

 The Web component can be installed on Windows NT/2000, Sun Solaris, HP-UX and IBM AIX.

SecurPass-Reset manages platforms such as Windows NT/2000, IBM OS/390 and OS/400, Unix, Sun Solaris, NetWare (NDS and Bindery) and LDAP. Users can utilize self-enrollment to set up their accounts or an administrator can do it for them manually.

Changing the questions used during challenge/response wasn’t as intuitive as the other products. They provided a Web interface for adding questions to the question pool. SecurPass-Reset requires editing a text file containing the questions. This isn’t difficult, but I’d prefer to manage everything through the same interface.

SecurPass-Reset
Figure 4. SecurPass-Reset’s Web component services user requests. (Click image to view larger version.)

To its advantage, SecurPass-Reset supports a fair number of platforms by default. When purchased in higher quantities, its pricing is close to PRM, which makes it a good choice for someone concerned about price but who needs to support more platforms than PRM. SecurPass-Reset is my choice for small- to medium-sized companies with few platforms to support.

Final Report
All four products worked well in a Windows environment. Even though some installations were more difficult than others, they were all straightforward to get up and running.

But choosing which is the best of the bunch depends on what’s important to you. All vendors provided good installation documentation; however, BMC’s CONTROL-SA/PassPort was the most detailed and easy to follow. If you’re looking for a product that works across the most platforms out of the box, this is the best choice.

If you’re seeking a cost-efficient program to reduce the number of help-desk calls in your Windows environment, I’d recommend Discus Data’s ExMS Password Reset Manager or Proginet’s SecurPass-Reset. PRM’s installation is quicker and easier, but I really like the feel of SecurPass-Reset’s Web interface. However, for small Windows-based companies with fewer than 1,000 users, PRM is the most affordable solution.

Avatier’s Password Station.NET is the most complete package and gives more bang for the buck. All of the programs are intuitive, but Password Station.NET makes the most sense to me. It has a plethora of easy-to-use features.

No matter which solution you choose, your help desk will thank you, as all these products give a great return on investment.

Featured