Establishing Digital Trust: Don't Sacrifice Security for Convenience
Price: From $59.95 per user (volume discounts available)
Pros: Improves password security through ease-of-use, policy control, and safe storage
Cons: No centralized audit or reporting, enterprise upgrades not yet finished
Nobody loves passwords. End users despise draconian rules that force them to define dozens of passwords. Compliance officers lose sleep over unsafe practices often used to remember passwords. Even with self-reset portals, help desks still devote far too much time to passwords. And yet, freely-defined, universally-supported passwords continue to dominate authentication.
In its Guide to Enterprise Password Management (SP800-118), NIST discusses how to mitigate password challenges, including single-sign-on, password synchronization, and local password management. While local password managers can quickly reduce the values that each user must recall, those user-installed programs can still be vulnerable to endpoint compromise, improper use, and human error.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=iTo help IT departments deploy local password management in a safely-controlled fashion, Siber Systems has combined its consumer password manager RoboForm with centralized policy definition and backup/recovery. Here, we review the result: RoboForm Enterprise.
Saving passwords safely
Consumer password managers are plentiful basic utilities are even free or embedded in browsers. The premise is simple: one robust but easily-recalled password locks an encrypted storage area ("safe") containing all of the other credentials that one individual needs for Web/application authentication. In this way, long/complex passwords can be easily defined and employed by the safe's owner, but hidden from prying eyes or disk-scouring malware.
Over the years, password managers have gotten easier to use for example, binding passwords to associated Website URLs, auto-opening login pages, and auto-filling forms with saved values. Most managers can now save other data as well, such as credit card and bank account numbers, and incorporate freeform notes (e.g., secret questions/answers).
RoboForm can do these things and more. Unlike Internet Explorer or Firefox utilities, RoboForm can auto-save/fill passwords using both browsers and many other Windows applications. Specifically, RoboForm can auto-fill HTML and Basic Authentication forms, including multi-step logins used by financial providers. However, Java and Flash forms must be filled manually (via copy/paste). Users with MacOS and Linux hosts are out of luck, but those with smartphones will find there are simplified, free RoboForm apps for most mobile OS's.
RoboForm associates each configured or auto-saved username/password (Passcard) with a defined Identity that can be used to auto-fill forms with addresses, phone numbers, titles, account numbers, etc. RoboForm even supports multiple Identities to easily differentiate between household accounts held by several family members or personal vs. business accounts. Finally, every Identity and Passcard is bound to a defined Profile, creating a one-click toggle between "Home" vs. "Work" or "Admin" vs. "User" or any desired grouping.
Under the covers, RoboForm safely stores each Passcard, Identity, and Safenote (freeform text) as a separate file, encrypted with your choice of 256-bit AES, Blowfish, RC6, 3DES, or DES. All files are written to a configurable folder, typically on a local hard drive, but possibly on a USB stick or network store. Once encrypted, those Passcards, Identities, and Safenotes can only be decrypted if and when a corresponding "master password" is supplied.
Keys to the kingdom
Whether using a local password manager, such as RoboForm, or a single-sign-on (SSO) server, there is always risk associated with storing many credentials in one consolidated location. Specifically, security hinges upon master password strength and confidentiality. If a user configures an easily-guessed master password, shares it with a friend, or types it on a host infected with a keystroke logger, there go the "keys to the kingdom."
With SSO, the stakes are raised by storing and maintaining an entire organization's credentials at a central server. A local manager like RoboForm reduces that risk by distributing password maintenance and storage. If the RoboForm files saved on one user's PC were ever compromised or corrupted, only that user's credentials would be jeopardized. However, a fully-distributed approach also means there's no single server to enforce password strength, track password updates, or provide hardened password storage.
To clear that first hurdle, RoboForm Enterprise combines RoboForm with a Policy Editor that administrators can use to specify dozens of program settings, including several that promote master password strength and confidentiality. For example, the Policy Editor can:
- Set minimum master password length, upper/lower case, and digit requirements.
- Stop end-users from removing their master password (unprotecting data).
- Stop end-users from changing their own master password.
- Back up master passwords (in encrypted form) in a specified recovery folder.
- Set an auto-logoff period after which the master password must be reentered.
Noticeably missing from RoboForm are stateful policies, like the ability to require periodic master password updates or to prevent similar password reuse. In other words, the Policy Editor can establish and update policies, but it cannot monitor or audit deployed policies.
We tested the "enterprise beta" version of RoboForm, which included three newly-introduced master password alternatives:
- UPEK-based fingerprint readers: This prevents master password sharing by using fingerprints to unlock RoboForm. We did not have compatible hardware to test this.
- Dual Passwords: This prevents application password disclosure by letting admins create Passcards that others can use for login (by supplying their own master password), but not view or edit. We needed Siber Systems help to even try this subtle, not-yet-documented, but very promising addition.
- Windows Login: This eliminates RoboForm master password entry by substituting Windows authentication. When a Windows user logs into her PC, her master password is auto-cached, unlocking RoboForm (at least until auto-logoff occurs). This alternative operates so transparently that we didn't even notice it at first.
These new alternatives make RoboForm more business-friendly. For example, combining Dual Passwords and Windows Logins let IT define Passcards that can only be applied when employees are logged into the company domain, and thus auto-revoked if an employee's Windows account is ever disabled. However, we found these to be works-in-progress, largely absent from manuals, FAQs, or the Policy Editor. Presumably those omissions will be rectified before the beta is done.
Next page: Taking control
Using the Policy Editor, we centrally-defined many important program and security options, including disabling Safenotes or Identities entirely, eliminating undesirable data from Identities, denying auto-save and auto-fill (entirely or for specified domains), auto-clearing clipboards, specifying auto-logoff events, and preventing program removal. However, deploying our policies proved awkward.
The RoboForm Policy Editor is really just a Windows registry key generator. Click on any RoboForm key to view a (very brief) description and select values from pull-down lists. When done, click Test Values for a syntax check, then click Create Reg. All "pinned" keys are written to a .txt file that must be renamed .bat for execution. The manual suggests testing policies on a local copy of RoboForm before attempting a production installation or update. To facilitate large-scale rollout, the RoboForm installer can be executed without end-user prompting or registration.
Installing and updating RoboForm itself was easy, so long as those tasks were performed with administrative rights. But RoboForm does not report or prevent future registry changes. Furthermore, if a key isn't "pinned" by policy, users can change that option though the RoboForm UI, without changing the registry. Worse, the cleartext options file that controls a running instance of RoboForm isn't encrypted or even hashed to prevent external edits. To control policy reliably, admins must understand and address these risks. Policy drift is a real concern for any distributed solution especially one that lacks an audit tool.
Just in case
The Policy Editor is also used for RoboForm master password backup and recovery. With the consumer RoboForm product, the master password is never stored. But enterprises must be able to help employees recover lost passwords or perhaps decrypt Passcards and SafeNotes abandoned by former employees. The Policy Editor fulfills this business need by:
- Setting policies to save master passwords to a configured folder (e.g., network share).
- Generating a public/private key pair for master password protection.
- Using that public key to encrypt all saved master passwords.
- Using that private key as needed to recover (decrypt) any saved master password.
As previously noted, storing all master passwords in a single location poses risk more so if that folder is public-writable. The Policy Editor password-protects the key file but does not explain its purpose or associated risks. Our Policy Editor's recovery routine also complained about the format of files written by our RoboForm enterprise beta perhaps a version mismatch?
In any event, we think this feature should be wrapped in stronger warnings, if not stricter usage requirements like mandating a robust recovery key password and saving the private key file to a secured location, not the public backup folder. We'd also like to see encrypted master passwords archived to a location where they can't be copied or over-written.
Another recent addition is Passcard, Identity, and SafeNote backup. Consistent with today's cloud storage trend, encrypted RoboForm files can now be auto-synced (over SSL) to a RoboForm Online server hosted by Siber Systems. Importantly, master passwords are never sent to RoboForm Online. Consumers may like this service since its lets them reach their RoboForm files from any PC. Businesses will probably prefer to synchronize RoboForm files to other supported destinations, like network shares, Amazon S3, or FTP/SFTP servers.
Once synchronization is enabled, changed files are copied automatically by another Siber Systems product, Good Sync. Customers who don't want to auto-sync can still perform manual backups, copying RoboForm files to any folder. Admins can disable Backup/Restore using the Policy Editor; we hope to find Synchronization keys in a future Editor since IT will no doubt want to explicitly control this needed-but-sensitive feature.
Fitting into the enterprise
RoboForm itself is feature-rich. Beyond capabilities already mentioned, RoboForm can generate random passwords (to increase their strength), accept passwords through a virtual keyboard (to defeat keyloggers), and validate configured URLs (to deter phishing tricks). The RoboForm UI is busy even a tad overwhelming for novices but conveniently integrated into browser toolbars and Windows authentication prompts. The free RoboForm supports 10 Passcards; a Pro license eliminates that limitation.
All of these features are found in RoboForm Enterprise because the Win32 program installed on end-user PCs is really one and the same. For this review, we focused on version 7 features aimed at the enterprise, Policy Editor capabilities, and how this combo addresses business needs. Our initial impression was that Siber Systems had taken a healthy stab at meeting functional requirements, but not enterprise infrastructure or process integration needs.
However, Siber Systems tells us that they are now deploying Active Directory Group Policy Objects (AD GPOs). The existing Policy Editor will remain as a test tool and recovery utility. Although we were not given a chance to try RoboForm AD GPOs, we agree that large enterprises will require this. Smaller businesses may be satisfied by the Policy Editor, but customers that use AD will expect their local password management solution to dovetail with that infrastructure and the processes that surround it including methods used to conduct policy audits.
Like many products that jump from the consumer market to the enterprise, RoboForm suffers a bit from trying to keep everyone happy. For example, when the enterprise beta checks for a new version, it opens a Website for consumer product downloads. Although RoboForm's local password management approach scales, Siber Systems needs to finish polishing the enterprise beta, including formal documentation written for enterprise end-users and admins. We hope the latter illustrates how RoboForm can be integrated with common enterprise tools to implement essential processes like file backups and policy audits in ways familiar to IT groups.
Finally, although RoboForm promotes and simplifies use of stronger passwords, some businesses have security requirements that exceed RoboForm capabilities, like FIPS-certified crypto and smart card/token authentication. Enterprise authentication is never a one-size-fits-all proposition. But, in RoboForm Enterprise, Siber Systems delivers enough to warrant business consideration.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. Since testing her first 802.11 WLAN in 2002, Lisa has performed numerous vulnerability assessments herself and taught workshops on this topic.