Password History

Error checking is implemented to guard against a password being set before the Hitachi ID Privileged Password Manager server is made aware of the change -- i.e., a workstation or server can never have a local administrator password that the central Privileged Password Manager server cluster is not aware of.

Consider a workstation on which the local Privileged Password Manager service determines that the time has come to change passwords:

If it simply changes passwords and then attempts to contact a central server to upload the new value, it may find that Privileged Password Manager is off-line or unavailable and so must either roll back the change or store the new value and periodically test for connectivity, in the hopes that the new password can be uploaded before anyone needs to use it.

To avoid this problem, Privileged Password Manager's "pull model" works as follows:

First, the workstation connects to the central Privileged Password Manager server, and asks that server to generate a new, random password for a given local user.
The workstation then changes the password locally and sends a confirmation to the Privileged Password Manager server.
The Privileged Password Manager server updates its stored password and replicates the update to all other Privileged Password Manager servers.

In the event that the Privileged Password Manager server did not receive a confirmation message -- for example in the event that the workstation was suddenly turned off or disconnected -- it will retain both the old and new passwords. The new password is assumed to be current and the old password is archived.

As a fail-safe, in general all old passwords are retained/archived, so that if a sequence of password updates somehow failed, the correct administrative password is nonetheless available.