Blog

Google: An Example of Why Single Sign on Sucks

By Rich

According to the New York Times, when Google was hacked during the recent China incident, their single sign on system was specifically targeted. The attackers may have accessed the source code, which gives them some good intel to look for other vulnerabilities. There’s speculation they could have also added a back door to the source code, but I suspect that even if they did this, given how quickly Google detected the intrusion, any back doors probably didn’t make it into backups and might be easy for Google to spot and remove.

I’ve never been a fan of single sign on (SSO). Its only purpose is to make life easier for the users at the expense of security. All you need to do is compromise one password and you get access to everything. It’s okay if you use strong authentication (like tokens), but crap if you run it solo.

Not that we can expect all our users to remember 25 complex passwords. That’s why passwords alone as an authentication mechanism also suck.

If you can’t roll out strong authentication, I tend to recommend reduced sign on – instead of one password you have the user remember somewhere between 3-5 to compartmentalize. Drop the 90-day rotations, because they only make life harder without actually improving security, and encourage passphrases rather than the silly 10-character, must-have-a-number, non-alpha-character, and 3-Wingdats-symbols-drawn-in-crayon crap.

Personally I use a password vault (1Password. Technically it’s close to SSO in that if someone gets the password to my vault I’m in deep trouble, but to do that they would need to take over my personal system, and it’s pretty much game over at that point anyway. I don’t have to worry if someone compromises a web forum that they’ll use my password there to access my bank account, since they all use different credentials, and I don’t even know what they all are.

Update: Two points I forgot:

  1. I don’t do much with Google, but I do have different accounts set up for when I need to compartmentalize services.
  2. My bank passwords are not in 1Password – those I keep memorized, because I’m a paranoid freak.
No Related Posts
Comments

I agree with you can’t even use SSO for with IMAP and POP… whats the point.

Google should have a IP layer for authentication like mysql… so a company could select what ips cant connect to an account with password of course.

By Leo


Hey Max,

I agree that if someone gets your desktop almost none of these systems will help. At least if they get me with a keystroke sniffer when I go into 1Password.

I’m referring more to the compromise on the back end or of the password to the SSO system. You don’t necessarily need to nail the desktop in that case.

By Rich


Rich, your 1Password scheme would have yielded the same access.  Assuming reports are correct the attack began with a compromised user box.  Had it been yours the attackers would have obtained all your saved passwords and you’d not only have to remediate your compromised computer but change every single password you stored in 1Password.

A good SSO system would, at least, not give out the actual passwords.

I agree on compartmentalization but I disagree on the premise that SSO is inherently bad.

By Max


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.