Convenience Comes at a Steep Price: Password Management Systems & SSO

Wednesday, July 12, 2017

Alexandre Cagnoni


In today’s environment, it can often be a challenge (if not impossible) to memorize and keep track of all our login credentials for our daily interaction with online apps and services. Users also typically circumvent unwanted, extra layers of security in favor of convenience. Many consumers and businesses are flocking to the mirage of safety offered by password management firms, which are only as strong as their weakest link (often humans), and we must continuously reinforce the need for advanced authentication methods for nearly everyone – consumers, employees, suppliers, etc.

While password management firms may seem like a great idea given the increasing number of digital tools and devices that we rely on every day, they are not a “fix-all” solution. Their protection is only as strong as the password you create to use with the service itself, or the one the administrator/operator creates to secure the system’s database. Moreover, if the credentials associated with password management firms become compromised, the impact is far worse – akin to losing the “Keys to the Castle.” Given the fact that more than 81 percent of data breaches last year involved either stolen and/or weak passwords, the issue must become a central theme in any conversation about online security (2016 Verizon Breach Report).

Users frequently utilize the same username and password combination for multiple accounts, and use social media applications (such as Facebook & Twitter) to automatically create accounts for new products. However, while this is convenient, it’s clearly not secure. According to a 2016 survey, 73% of adults in the United States and UK use the same password (or a simple variation) for all of their accounts.

Many large organizations are switching to another, convenience-driven solution to ease the time and burden of logging into multiple systems by implementing Single Sign On (SSO) applications. But SSO, like password management systems, can be a double-edged sword for security practices.

If the central database of credentials for these systems is eventually compromised through brute force attacks against privileged users – a feat that becomes increasingly easier and less time consuming with steady advances in computing power – the consequences can be devastating for enterprises, vendors, and customers.

As we have repeatedly witnessed, a primary attack vector for large firms has been through third-party vendors, and this was again the case in last month’s massive breach of the password management firm OneLogin. A company statement conveyed the enormous scope of the incident by admitting that the hacker was able to access database tables that contain information about users, apps, and various types of keys – which could enable the malicious party to decrypt sensitive files for thousands, if not many more, of their clients.

Many security experts have touted password management services and SSO providers as positive advancements for our somewhat outdated reliance on a username and password combination as the most common method of verification. However, trusting cloud-based storage of highly sensitive data always increases the risks of compromise. If an attacker can obtain access to any user’s credentials that have the capability to unlock other applications, they will likely be able to compromise additional applications.

Social media accounts are also an increasingly common authentication point for third-party applications, which is commonly justified by not having to keep track of yet another new password. It streamlines the sign-in process and only requires permission to be granted during the first session. The third-party permission requirement does deter some users, and it is often restricted by firewalls that block employee access to the social media site. Instituted with an eye toward convenience, it too can allow hackers to compromise all of the linked accounts by authenticating with only the social media credentials.

The common denominator in all of these scenarios circles back to an arcane overreliance and overconfidence in the level of protection that the username/password combo provides. While several security-centric industries have adopted optional security measures such as two-factor authentication, enhanced authentication must be universally reinforced by making these procedures default requirements for the vast majority online activity. Multi-factor authentication should be used to enhance our ability to help avoid credential theft from every angle. These should be expanded to include providing something you have, something you know, and something you are as the new minimum standards for identification.

As nefarious actors and groups of all kinds have evolved their capabilities on a regular basis to commit ever more complex acts of cybercrime, we must finally take steps to evolve basic security processes in turn. Password management systems and similar tools aren’t silver bullets, as they only serve as yet another layer of simple, insecure passwords. After all, if all you need is a password to gain access to another password, there’s no substantive enhancement to security.

About the author: Alexandre Cagnoni is CEO of McLean, Virginia-based Datablink (, a global provider of advanced authentication and transaction signing solutions.

Possibly Related Articles:
Security Awareness Phishing Breaches
Authentication Login Password Management password managers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked