[Log In] []

Exploring the science and magic of Identity and Access Management
Tuesday, May 28, 2024

Password Synchronization and Post-It Notes

Author: Mark Dixon
Wednesday, August 10, 2005
8:21 pm

a customer meeting yesterday, we were joking that a distinct benefit of implementing
password synchronization was that many trees would be saved because fewer Post-It®
notes would be used to keep multiple user IDs and passwords handy around one’s
computer screen.

But then we thought of the flip side of the equation: Replacing multiple user
credentials with a single User ID and password could arm a devious person
with all he needed to easily wreak havoc on multiple on line systems!

We can only hope that if a person only has to remember one password and one
User ID, he or she will have enough good sense to give up Post-It® notes all together.



2 Responses to “Password Synchronization and Post-It Notes”

    Indeed… that’s one of the arguments in favour of single sign-on: by giving the user a more manageable number of IDs and passwords to take care of, you reduce the risk of poor management of the secret.

    The ‘all eggs in one basket’ argument is also often raised against single sign-on. The Liberty Alliance considered the problem and concluded that the most sensible mitigation is for the protocols to provide for one or more additional authentication steps, at the discretion of the authenticating party. That means users can benefit from the convenience of single-sign on across the majority of the websites they visit, with additional authentication (such as a PIN number) required for a further subset (such as payment authorisation sites).

    Finally, there’s the point that if you map a user’s SSO ID and password onto multiple ‘back-end’ IDs and passwords which are automatically administered, you can choose (for the latter) much more secure passwords than a user ever would, and you can change them much more frequently than a user would ever do. That doesn’t mitigate the risk of the user’s SSO password being compromised, but it greatly reduces the risk of an attacker directly cracking any of the ‘back-end’ passwords.


    Comment by Robin Wilton on August 15, 2005 at 1:32 pm


    Thanks for your comments. I appreciate the insight into using additional authentication steps for SSO and the potential use of “back end” credentials to separate the user login credentials from the actual credentials that log into the protected systems.


    Comment by Mark Dixon on August 16, 2005 at 1:33 am

Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.