Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need to know how password generating logic works in CPAM for audit purpose.

Go to solution
Narendrapranaam
New Contributor II
New Contributor II

‎05/11/2023 08:19 AM

Need to know how password generating logic works in CPAM for audit purpose. To give more idea, we need confirmation that any password generated via CPAM should be compared with all active checked-out account's password and made sure the password generated is unique & not a duplicate of other password.

Also, would need to know the Algorithm used for encrypting password in CPAM's vault

0 Kudos
4 REPLIES 4

Go to solution
NageshK
Saviynt Employee
Saviynt Employee

‎05/22/2023 03:04 PM

@Narendrapranaam Thanks for posting your question. Passwords are generated randomly using the password policy definitions and the probability of having duplicates is very low and the longer the pwd is, the rarer the chances are for duplicates. Additionally, the checked out passwords are not stored anywhere (for security reasons) so a comparison is not possible here. Can you elaborate your requirement/use case further so that we can review and see if the potentical concerns/impacts can be handled in other ways?
And we use SHA2 for encryption. 

Thanks,

Nagesh K 

0 Kudos

Go to solution
Narendrapranaam
New Contributor II
New Contributor II

‎05/23/2023 09:31 AM

Thanks for your reply @NageshK , to elaborate much on the requirement. There was an ask from our Client security team to confirm if this tool compares the password with all current password shared with Active accounts with active reservation slot/Password slot and generate password so there is no repeated password for any active accounts having active reservation slots. As you mentioned, since we dont have a repository where we can compare all password to confirm its uniqueness thought of checking here.

Also, since the copy of password is stored to CPAM's Vault, is there a testing you did in such a way extracting the secrets from vault to confirm if its not unique.  If nothing works as mentioned, we've breakglass instance creation and extracting secrets, have you ever seen same password generated for multiple accounts? 

0 Kudos

Go to solution
NageshK
Saviynt Employee
Saviynt Employee

‎05/25/2023 06:43 AM

@Narendrapranaam The probabilities of duplicates are so low. Imagine that you are generating a 12 char password from the list of [A-Za-z0-9],  the total possibilities of combinations are 62 (26 upper case + 26 lower case + 10 numbers) to the power of 12. This is equivalent to 3,226,266,762,397,899,821,056 combinations. And we have not even considered special characters in the list of characters. Getting a duplicate from this will be a rare occurrence. 

Do you have any business case that is impacted in the rare event of having a duplicate? Even in that rare scenario, it has to be the same person checking out credentials for both accounts and that too at the same time as we rotate the credentials after every checkout. 

Thanks,

Nagesh K 

0 Kudos

Go to solution
Narendrapranaam
New Contributor II
New Contributor II

‎06/04/2023 11:22 PM

I accept your suggestion we shared the same with our client and its always better to have a response from Saviynt for any future/current audit.

0 Kudos
Copyright © 2024 Khoros, LLC