Google: An Example of Why Single Sign on SucksBy Rich
According to the New York Times, when Google was hacked during the recent China incident, their single sign on system was specifically targeted. The attackers may have accessed the source code, which gives them some good intel to look for other vulnerabilities. There’s speculation they could have also added a back door to the source code, but I suspect that even if they did this, given how quickly Google detected the intrusion, any back doors probably didn’t make it into backups and might be easy for Google to spot and remove.
I’ve never been a fan of single sign on (SSO). Its only purpose is to make life easier for the users at the expense of security. All you need to do is compromise one password and you get access to everything. It’s okay if you use strong authentication (like tokens), but crap if you run it solo.
Not that we can expect all our users to remember 25 complex passwords. That’s why passwords alone as an authentication mechanism also suck.
If you can’t roll out strong authentication, I tend to recommend reduced sign on – instead of one password you have the user remember somewhere between 3-5 to compartmentalize. Drop the 90-day rotations, because they only make life harder without actually improving security, and encourage passphrases rather than the silly 10-character, must-have-a-number, non-alpha-character, and 3-Wingdats-symbols-drawn-in-crayon crap.
Personally I use a password vault (1Password. Technically it’s close to SSO in that if someone gets the password to my vault I’m in deep trouble, but to do that they would need to take over my personal system, and it’s pretty much game over at that point anyway. I don’t have to worry if someone compromises a web forum that they’ll use my password there to access my bank account, since they all use different credentials, and I don’t even know what they all are.
Update: Two points I forgot:
- I don’t do much with Google, but I do have different accounts set up for when I need to compartmentalize services.
- My bank passwords are not in 1Password – those I keep memorized, because I’m a paranoid freak.