Will tech industry ever fix passwords?

By Jeff Vance, CIO |  Security, passwords

For consumers, there are already two SSO options that are gaining traction: Google and Facebook. However, neither company is known for its rock-solid security practices. The consumer-facing SSO systems are based on a kind of SAML lite, called OpenID. A recent Microsoft-sponsored study (PDF available here) found that consumer-facing SSO is more about convenience than security. (Note: take this research with a grain of salt, since Facebook and Google are two of Microsoft's main rivals.)

An SSO login creates a virtual handshake between the website a user wants to access and the IdP, i.e. Google or Facebook. Basically, the new site will ask for the verification of user credentials, and the IdP will in essence give a "yes" or "no." But in streamlining things down to a binary decision, there is plenty of room for error.

One of the holes the report identified saw OpenID allow for shortcuts in many identity enforcement sessions. If the site asked to confirm the first name, last name, email address and ZIP code, OpenID might not verify each piece of information. For instance, the researchers accessed the request, deleted a key piece of requested information (such as an email address) as the request went to the OpenID-based service and then re-entered it in the signed "okay" from OpenID. This is clearly a huge hole. The hacker who doesn't have access to your email address (which may be alerted if you're signing on with an unrecognized device) is now able to bypass that safeguard.

Moreover, the researchers were able to use Facebook's authentication system to hijack users' accounts on the social network. Reportedly, all of these holes have been fixed since the report came out, but the research does shine a light on the security sacrifices made for the sake of convenience.

That's not to say that consumer-facing SSO is a pipedream. It's not. Even the flawed OpenID-based SSO mechanisms are better than the status quo of entering passwords for every site a user accesses on the Web. Rather, the point is that there's a lot of work to be done before we can consider this problem more or less solved.

Fixing Passwords, What You Can Do Now

In the meantime, as we all wait for better authentication mechanisms to become standardized, there are plenty of things you can do to boost your security, but you have to make an effort.

Originally published on CIO |  Click here to read the original story.
Join us:






Ask a Question