This site requires JavaScript to be enabled
Customer Service > General > Password Management
Password Management
Article: KB0010598 Published: 11/03/2023 Last modified: 11/03/2023

The more passwords that are required to access your systems, the more your organization's security is at risk. This might seem counterintuitive, but passwords depend on people: the more passwords that your users have to keep track of, the more likely they are to write them down, use weaker passwords that are easier to remember but also easier to guess, or repeat the same password across multiple systems. The goal of single sign-on (SSO), therefore, is to eliminate passwords in favor of more secure and user-friendly alternatives, which OneLogin can achieve with provisioning tools like SAML, OpenID, and proprietary protocols. Unfortunately, many applications don't support provisioning or still require a user password, such as for POP3 and IMAP email configuration.

Even then, OneLogin still has you covered! We can alleviate the manual burden on users by caching passwords and automating logins with a process called form-based authentication. This article discusses the different types of passwords stored in OneLogin and offers some tips and best practices for the passwords that are unavoidable.

 

 

Types of Passwords

There are two kinds of passwords that OneLogin may store for your users: SSO passwords and application passwords:

  • The SSO password is the one that your users enter to sign into OneLogin itself. If you manage your users directly in OneLogin, their SSO password is stored in OneLogin too. On the other hand, users who are synced into OneLogin from an external directory such as Active Directory or LDAP will have their passwords stored there instead.

    Sometimes it's useful to have OneLogin send the SSO password to other applications, either as part of the provisioning process or with form-based authentication. For example, if your organization is using Google Apps, OneLogin can ensure that Google uses the SSO password. If necessary for your organization's specific security needs, you can disable this kind of password-mapping in your account settings.

  • Application passwords are those that are associated with your users in various other applications that don't support SSO provisioning. This is when OneLogin can store the individual user passwords and use form-based authentication to sign your users into these applications without requiring them to manually enter them into a login prompt.

    Application passwords being stored in OneLogin are encrypted with an account-specific key and decrypted on-demand when requested by the correct application. These passwords can be chosen by your users, configured by an administrator, or even securely shared among multiple users such as if you have several employees who all need access to the same account.

 

 

Password Strength

A strong password is one that has high entropy, or randomness. A lowercase six-letter password can only be one of a few thousand possibilities if it's a dictionary word. Even if it's made up of random letters, it can only be one of 308,915,776 (or 26^6) possible combinations – child's play for a brute-force algorithm.

If you mix upper- and lowercase characters with numerical digits and special characters, you now have 94 different characters compared to the 26 lowercase letters, giving you a dramatic increase of 689,869,781,056 potential 6-character passwords. And if we double the password length to 12 characters, we now get 475,920,314,814,253,376,475,136 different combinations!

The problem is that strong, high-entropy passwords like "3*g2dTW93%k2" are very hard to remember and impractical to type, and so users will very often choose much weaker passwords like:

  • Dictionary words: automobile, cupcake, butterfly, atlanta, happiness
    These passwords are easily guessed by algorithms since most dictionaries only have a few hundred thousand words, and most people only have an active vocabulary of a few thousand words.
  • Short words with numbers at the end: rose123, John999, good2001
    Although slightly more secure than dictionary words, these passwords are still very easy to detect; most people, when prompted to include both letters and numbers in their password, will begin with a dictionary word and then enter only as many numbers as required to meet the minimum character limit, so algorithms can quickly pick up on this pattern and find the word+number combination the same way they find words only.
  • Personal information: charlottejackson, January12, 1235551234, Detroit1976
    Names and personal information are easily hacked because there are so few possible combinations for any one person and will often be some of the first attempts made by a malicious actor who knows that person or a hacking algorithm that has collected any user data about them.
  • Default passwords: admin, password, guest, 0000
    Many products have default values that some people never change. For example, it's hard to find a place in any city that doesn't have at least one unprotected WiFi hotspot called "linksys".

Most of us know that these passwords are weak, but we also know how easily we might forget more complex passwords. Many users will therefore select the weakest password they're permitted to, sacrificing security in favor of ease – particularly if they have several passwords they must remember.

That's why the ideal authentication process requires users to have as few manually-entered passwords as possible. With user provisioning allowing your users to authenticate directly through OneLogin and form-based authentication handling their password-based logins, you and your users have no barriers to using highly complex, randomized, and secure passwords.

 

 

Want to increase your organization's security even more? Consider using SmartFactor Authentication, a powerful add-on for your OneLogin account with advanced and intelligent features like:

  • Multi-Factor Authentication, giving your users a variety of alternatives to their SSO password, like single-use tokens or trusted device certificates
  • Smart MFA and Smart Access, which can detect potentially suspicious logins and increase your users' security requirements when something seems off, even if they have the correct password
  • Several Smart Flows that enable you to select custom login flows for your users, such as a passwordless flow that bypasses the need for an SSO password completely
  • Compromised Credential Check, which can check your users' OneLogin credentials against a database of known passwords that have been breached and posted on the dark web
  • A Dynamic Password Block-/list that allows you to automatically prevent users from choosing OneLogin passwords that contain unique personal information, such as their own name or phone number
Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo