Advisory for IT Departments: Passwords Security and Federated Single Sign-On

  1. Passwords are stolen and hacked because they are sometimes stored in clear-text form. So please do not store passwords in clear in a Database. It is advised that passwords be stored hashed and encrypted. It is preferred that passwords be stored in directories. Any LDAP standard based directory is a good choice. Microsoft Active Directory and OpenLDAP are quite popular.
  2. Passwords are stolen and hacked because your users are creating multiple accounts on multiple external Websites and Apps. So each user now has multiple passwords, and each password is stored at a remote vendor site, outside of the IT Department’s control. Also, it is not clear how these passwords are stored and secured by the vendor, and who within the vendor’s organization has access to such password databases.
  3. It is recommended that you unify user passwords from multiple sources into one or more repositories of passwords and user identity data that are always in your control and supervision. You can use a wide variety of off-the-shelf identity integration software tools to unify passwords and user identity data into one or more repositories. This eliminates password proliferation.
  4. Adopt open-standards compliant secure federated single sign-on to enable single password based access for users to Apps. Federated single sign-on eliminates the need to share user passwords with Apps and Websites. Open-source Shibboleth SAML based SSO solution is best for such deployments since Shibboleth has been tested and reviewed openly by security experts world-wide for over 15 years. Shibboleth is vastly superior to any commercial alternative in terms of security, reliability, standards-compliance and robustness.
  5. Adoption of federated single-sign (SSO) will make sure that your User passwords will no longer leave your enterprise Active Directory (LDAP) that is under your control in the IT Department. Therefore, External App Vendors and the Apps will no longer have access to User passwords. Huge improvement in password security.