Managing Password Credentials

Credential management is a realm within Identity and Access Management (IAM) that focuses on the lifecycle of credentials, from provisioning, audits, and updates to deprovisioning and monitoring. In its essence, credential management is about keeping user credentials safe during transit and at rest to avoid security incidents. When it comes to passwords, credential management typically involves enforcing password complexity and password strength policies to minimize the risks of brute-force attacks and ensure secure password storage.

When passwords fall into the wrong hands, malicious actors can take over accounts and gain access (on the wrong premises, though). This often propagates to other, even unrelated, systems because users reuse the same credentials for different services. To mitigate the risk of compromised databases and password leaks, it’s crucial to salt and hash passwords before storing them in a data store.

An initial strategy for credential management could — and should! — be to minimize the places where passwords are stored. Instead of each application maintaining its own separate user directory and credential store, install a central credential management or IAM solution, such as an OAuth authorization server, to handle passwords consistently. 

Moving to Central Credential Management

Centralization improves security hygiene by ensuring all applications follow the same rules. Commonly, centralization concerning credential management implies a single place for enforcing (password) policies, securely storing credentials (passwords), and monitoring and auditing events. 

Centralizing credentials should not mean copying all data to a central store and abandoning all individual credential data stores at once. It should be possible to perform any transition — whether from multiple systems to a single one or from a legacy to a modern solution — while keeping business continuity and user experience in mind. 

The Basis for Peaceful Transition

An IAM system should decouple credentials from user accounts to smooth the transition to centralized credential management. This means the system should manage account-related data such as usernames, emails, and user roles separately from passwords. As part of that, an IAM system should support various data sources and hashing algorithms with the possibility of more or less fully customizing integrations with existing password stores. This is important so that the IAM system can integrate with the variety of solutions that heterogeneous or legacy systems imply. 

An IAM system should support retrieving passwords from multiple data sources and select the appropriate source depending on the use case such as the application the user interacts with. It can then store the password in the central data store using a secure algorithm — providing a unified approach and possibly replacing vulnerable implementations. In this way, you can integrate with the legacy systems and move users to the central system one at a time when improving credential management.

Flexibility via Decoupling

Decoupling credential management from account management provides flexibility for numerous use cases beyond credential transition. For instance, the ability to validate and store passwords using various methods allows for implementing multiple policies within the same system. Such policies can relate to different needs, such as addressing specific technical requirements or meeting compliance standards (e.g., GDPR, HIPAA). 

Policies commonly vary from organization to organization. With dedicated credential management separated from account management, an IAM system can handle multitenant or even application-related differences within the same deployment. Thus, it provides an organization the freedom and flexibility to implement a solution that fits its needs for modern, secure credential management.

Three Points to Remember

From this blog post, you should take away three main points for modern credential management:

• Passwords are still alive.

• Centralize password management for improved security and compliance.

• Decouple password management from account management to enhance flexibility.

Passwords are still in use and you have to manage them today as best as you can. The best way is to centralize password management. As part of that effort, choose an IAM system that decouples credential management from account management so that it can meet various requirements. In the long run, update your credential management strategy to focus on modernizing the credentials and authentication methods. Rely less on passwords and instead incorporate alternative authentication techniques such as multi-factor authentication (MFA) and passwordless authentication.