On 23/11/01 16:40 -0600, Ricardo Delgadillo wrote: > We have been working around for a while in IT, and recently some of our > colleagues have serious concerns about single sign-on technology. I guess > that this issue has derived in pretty interesting discussions. So i'm > wondering where can i get information about these matter?
This issue was recently debated on one of the securityfocus lists, so you would want to look at the archives. Basically, it boils down to the fundamental question of comfort against security. Users are more comfortable using a single password for everything, and will continue to do so unless forced to do otherwise. They would prefer to login once and everything should then just work seamlessly, without having to separately authenticate for each service. >From the security professional's point of view, this is a nightmare. Not everything has been designed with security in mind, and the single store for passwords/hashes makes it a single point of failure. If this is ever compromised, every service can be assumed to be compromised (not all users have strong passwords). Single sign on is like putting all your eggs in one basket because you don't want to maintain a guard on a number of baskets. but the risk to that basket is then very high. In practice, flawed implementations, memory management problems in operating systems, bad passwords, insecure desktop systems and all other such problems combine to make this even worse. If you are considering something like hailstorm, this multiplies the security problems by quite a few orders of magnitude. Hope this helps, Devdas Bhagat
