Password Management consists of two major items

1. Create Password
2. Change Password
3. Reset Password

Before getting into detailed requirements on how to go about these, let us take a look at the overall scheme of things through the below diagram

Passwords can be either maintained at the application level or using LDAP or other active directories.  This document provides a details on developing a centralized password management module for Non-SSO managed applications as the creation and password management for SSO based applications will happen with the identity provider

Password Creation:

Whenever a new user is created in an application, a password needs to be assigned to him. This password can be either system generated or user selected. Whatever may be the case, all the rules in the password policy is applied.

User selected password:

In case where the user selects the password, the password is sent to the password management system with the following parameters through an API call

1. Application if
2. Client id
3. Country id
4. Business unit id
5. User id
6. Password

The password management system on receiving the details through the API, applies all the password policies onto it, does the validation. If it is a valid password, then

• The password is stored in the password management service database
• Message is sent back to the application about the successful validation of the password and the application then triggers the user management service to store the details of the new user

In case if the password validation fails, a message is sent back to the application with the reason of failure and the application highlights it near the password box.

System generated password:

In this case, the application calls the password management system through the API with the following details

1. Application id
2. Client id
3. Country id
4. Business unit id
5. User id

The password management system generates a new password in line with the policy and sends it back to the application which in turn relays it to the user management service to store the details of the new user

Note :

1. User management and Password management components should work together during the creation of the user as only after successful validation of the password, the user creation is completed
2. If the application is configured to use SSO, then the password will never be sent to the password management service. The decision to send the password to this service is completely with the application to decide.

Password change and Reset:

Usually, the request for changing or resetting the password comes from the application. The scenario to change a password might happen due to the following events

1. Voluntary Change – When the user wants to change the password deliberately
2. Forced Change – When the system forces the user to change the password (When the password expires according to the policy)

The password Reset scenario might happen due to the following events

1. User forgets the password and clicks on the forget password link of the application
2. User’s account is locked after “X” number of unsuccessful login attempts

The Password Management System receives the password change or reset request from the application in the form of an API request from the application. Once the request is received, the processing is done and the latest password is updated back to the requestor through an API response.

The request API consists of the following parameters

1. Application id
2. Client id
3. Country id
4. Business Unit id
5. User id
6. Old password (Optional)
7. System password generation flag (in case of a password reset)

Components of Password Management System

Rules Engine: The rules engine will have configuration on the password policies based on the following parameters

1. Application
2. Client
3. Country
4. Business Unit

Some of the password management rules are as follows

1. Minimum Password Length
2. Password composition (e.g at least 1 numeral and 1 alpha numeric)
3. Don’t allow last “X” Passwords
4. Password expiry rule

Whenever a password change or reset request comes to the password management system, the rules engine picks up the rules for that particular application/client/country/business combination and sends it to the Password Validation Engine for further processing

Password Change/Reset Engine: This actually changes or resets the password based on the following scenarios

If it is a user initiated password change (from the change password link in the application), then the user should do the following

1. Type the old password
2. Type the new password
3. Type the new password again

If it is a system initiated forced password change (based on password expiry policy), then the user should do the following

1. Type the old password
2. Type the new password
3. Type the new password again

The User can reset the password by clicking on “forgot password” link in the application. In such a case, Two things may happen

1. The system generates a random password and emails it to the user (This should be changed at the first login)
2. The system sends a reset password link to the user through an email wherein the user can pick a new password

Note : In case if additional validation is needed for the user before password reset, the following parameters can be used on a configuration basis

1. DOB
2. OTP
3. Employeeid+Email id
4. Set of Password reset Questions

Password Reset Questions:

It is an option wherein the user is asked to select answer for a set of questions beforehand. At a later stage, when the user wants to reset the password as a way of validation, the user is asked to provide answer for the questions. If the right answers are provided, the user can go ahead and reset the password

The password change/reset engine will call the Password validation engine during the following scenarios

1. User clicks on the submit button after entering the old and new passwords
2. User clicks on the submit button after entering only the new password
3. User clicks on the submit button after entering validation details like DOB or OTP
4. System generates a random password for reset

Password Validation Engine:

The password validation engine receives the following

1. Rules for a particular application/client/country/business unit from the rules engine
2. Old and new passwords from the password change/reset engine in cases where the users provide the old password
3. New password in case the user just keys in a new password
4. System generated random password

Once it receives the details from the rules and password change/reset engine, it does the validates the new password based on the rules and calls the response API with the following messages

1. “Password is changed successfully” message(In case validation succeeds)
2. Corresponding error messages in case if the validation fails

The response API will consist of the following parameters

Application id

1. Client id
2. Country id
3. Business Unit id
4. User id
5. New password (In case of a successful password change)
6. Response message to be displayed to the user

The response is fed to the application which updates either the LDAP/Active directory or local password management database

Master data management

The password management system will maintain the following master data

1. Application id
2. Client id
3. Country id
4. Business unit id
5. User id
6. Rule 1
7. Rule 2
8. Rule 3

Etc.

The change and reset password screens will be part of the Password management service and it would be linked to the application through an iframe

Password Security

1. The passwords are encrypted using 128 bit AES encryption before storing in the database.
2. Passwords would never be shared through email
3. In case, if the customer wants to store the password in a Hardware Security Module (HSM) using Keys, then the password management service doesn’t store the password in the local database and rather routes it to the HSM
4. Any change in the password policies is immediately applied to the passwords and the users are forced to make the change