Password Management



Today's regulatory mandates – including PCI DSS, SOX, HIPAA and others – require your privileged account passwords to be sufficiently unique, complex, and frequently changed.

ERPM Architecture

Scheduling Password Changes in ERPM
(Click to Enlarge)

  • With Enterprise Random Password Manager (ERPMit's simple to configure settings for password strength to accommodate different management targets – including hardware, databases, and applications – that have set requirements for allowable passwords. This makes it easy for you to choose the right settings for every managed system.

  • ERPM helps you logically group all of your managed systems so you can configure specific policies for different types of systems and account types – for example, you can group systems to more easily configure NT-compatible passwords for older computers, while complying with the current requirements of your computers running Windows Vista / Server 2008 and newer.

  • ERPM is unique for its ability to discover every location where a privileged account is being used or referenced, and to propagate password changes to all referenced locations across your network. This capability is especially critical for privileged credentials found in service and process accounts, and can help you avoid the potential for service disruptions and lockouts that can occur with alternative solutions.

Schedule Password Changes with Less Effort

Passwords are automatically randomized after use and can be changed on a scheduled basis, with the options for scheduling being immediately, every hour, every day, every week, every month, every year or every n hours/days. The job can also be given a window of time to run (e.g. 1-3 AM).

ERPM helps you to schedule and monitor password changes with a minimum of effort, and lets you properly handle exceptions (in the event of a network issue or if a target system goes offline) so that any issues are reported, alerted and addressed.

  • Because ERPM organizes your password change jobs by systems (as opposed to accounts) you can update the same account on any number of machines with a single job so you'll manage all of your password changes with the least effort. Once you create your password change jobs, ERPM can process the changes without operator intervention.

  • ERPM also has the capability to reset individual passwords or groups of passwords on-demand, and to schedule automated checks to ensure that each password stored in the database correctly matches the current login for each target account.

Password Complexity

Password constraints are configurable and control the password length and complexity. You can select which symbols to use or exclude, whether the password may contain upper/lower case letters, symbols, or numbers. You may select the positioning of characters/numbers/symbols within the password itself, and you may require a minimum number of upper/lower case characters, numbers or symbols. With ERPM, passwords can be up to 127 characters in length, if/as allowed by the system being managed.

Password Encryption

With ERPM your passwords are encrypted in a backend database, with options that include military-grade AES encryption, a FIPS 140-2 software encryption module, higher levels of FIPS 140-2 compliance, and support for Hardware Security Modules (HSMs) that use PKCS#11. ERPM also takes advantage of SSL encryption between its distributed modules, and between its web application and users' machines, to protect passwords and other sensitive information.

ERPM does not perform any of its own networking and does not require agents to manage privileged identities on servers, workstations, and devices. ERPM commands its local host to perform connections and issue remote commands. All networking is a result of Windows to Windows communications for Windows based targets and therefore follows the same rules and protocols, or via SSH 2.0 or Telnet connections to non-Windows platforms.

Password Retrieval

Administrators can quickly retrieve passwords for systems/ devices/ applications/ databases they are authorized to manage via a secure web portal. You may configure the web application to allow users to view passwords or simply log them into the target system via RDP/SSH/Telnet without ever displaying the password.

Contact us to learn more about how Lieberman Software can help you secure your organization's privileged accounts.