“Password synchronization” is a method of achieving single sign-on (SSO) by ensuring a user’s password is the same between multiple systems. One system, such as Active Directory, acts as the central authority. When a user’s credentials are updated inside of the central authority, their password is pushed out to other systems such as their email provider.
This functionality is found within identity management solutions, such as those offered by Tools4ever. Password synchronization solutions are easier to implement than enterprise single sign-on (SSO), as there is less administrative work involved (i.e., no need to create SAML trusts).
Special Considerations
Unlike enterprise and web SSO, successful password synchronization between systems requires those systems to accept the same level of password complexity. If a simple password is pushed to a system that requires a complex one, then that system may throw an error and the affected user will not be able to log in with the expected credentials. This results in confusion and a poor user experience.
Organizations that plan on implementing password synchronization are advised to examine the password requirements of all connected systems and make note of the most stringent ones. Those requirements should then be implemented in the central authority (e.g., Active Directory). This will ensure that any new password will be accepted by all connected systems.
It may still occur, however, that some systems are not compatible with the password requirements of other systems. For example, one system’s maximum password length may be shorter than the minimum password length of another. Or one system may require special characters while another forbids them. In these cases, users will need to log in with different credentials. This is by no means a failure of any password synchronization solution and can be overcome with proper user training.
Security Concerns: Complexity & Passphrases
Every single-sign-on solution comes with security concerns, and password synchronization is no exception. When all systems share a single password, all of those systems become compromised when a user’s password is divulged. To combat this, organizations are advised to require passwords of significant length and complexity, as well as to train their users on the usage of passphrases in place of traditional passwords.
Consider the following password requirements: 20 characters, mixed case, one number, and five special characters. Any password that meets these requirements is going to be very difficult to crack.
The following traditional password meets these requirements:
H9hab%bk<fM~z!EY-tXK
However, few people will remember it. This is where passphrases shine. The following passphrase also meets all of the requirements, but is easy to remember:
I have 3 apples in my pocket.
By combining very strong password requirements with passphrase training, organizations can enjoy the benefits of single sign-on without the concern of easily-cracked passwords or users who write down their complex ones.
How Does Password Synchronization Work?
The implementation details of a password synchronization solution vary depending on the central system. Some systems may launch external processes when a user changes their credentials, while others may rely on third-party utilities to capture these events. Active Directory falls into the latter category.
Using Active Directory as an example, a password synchronization solution (such as that offered by Tools4ever) would require an agent to live on each of an organization’s domain controllers. When a user’s credentials are changed—no matter which domain controller that change happened on—the agent would capture the new credentials. Those credentials are then passed to a processing engine, such as Tools4ever’s UMRA software. The processing engine then encrypts the credentials and pushes them into connected systems such as Google GSuite or Salesforce.