23 Oct 2008

Central authentication is coming, and here's a good reason why

Some interesting reading today on OpenID, Facebook Connect, and the dog's breakfast of authentication standards in the market:
Facebook Connect and OpenID Relationship Status: “It’s Complicated” – John McCrea of Plaxo
The authentication landscape appears to be coalescing. I think a lot of vendors will still want to have a "walled garden" ID scheme, but I'm inclined to think their customers will drag them kicking and screaming into a federated identity world.

I have a good reason to think so. People already use a dangerous form of single sign in: they use the same user ID and password across multiple sites. Some day soon an enterprising young script kiddie from Yemen is going to sit down and write a Distributed Identity Theft Attack that will plunder the databases of weak sites (like some forum that you don't even remember signing up for) to take possession of more valuable sites (like Facebook and LinkedIn) and then finally the holy grail (your email account, used to unlock everything else). Nobody, not even Bruce Schneier (by his own admission), has a different password for every site: at best, we have low, medium, and high-security passwords. But if you're using the same password everywhere, you're only as secure as the weakest site you visit, which means gold bars for the putative Yemeni banks.

Also, über-paranoid password complexity and periodic forced password change rules actually encourage people to use a password formula across different sites, and to change only the last character in a preset sequence. They're virtually assured to do so, because security training has taught people to never, under any circumstances, write down their passwords. So a dictionary attack will still work in most cases for the DITA outlined above – forty-seven variants isn't a lot to try, and most sites don't lock accounts for password failure.

So go change your online banking password right now, I'll wait. Don't forget PayPal, too. And Amazon, which holds your credit card info, as does iTunes.

So, we'll stumble along with our user ID (which is, often as not, the email address) and password (same everywhere) until the Russian Business Network strings together some Perl code and causes a smart-spam and bank fraud wave big enough to shake consumer confidence in the web. At the very least, consumers will learn not to trust websites with homegrown authentication. They'll pick one or two big-name vendors they trust.

2 comments:

LynnHobbit said...

Yes, this is what I also think about. I guess we all should keep a password diary on paper somewhere, possibly in a lockbox. I'm not even sure that our government isn't doing the job of snagging our passwords. Then, with their competency levels, and the good 'ole homeland security competency levels, Yemen or whomever has everything in one place. Heck, they could be trading our information for oil.

Wojciech said...

The attacker doesn't even need to hack anything. He could create a nice website that claims to give something valuable for free, but requires signing up.

Then, out of 10000 users, let's say 1 of 100 subscribes with an email address and a password identical to that used in this email account. The "attacker" is then left with access to 100 email boxes.

This is why I do set a different password for each site. And have separate email addresses for trustworthy sites (and ones that process payments) and for forums.

Yeah... mass adoption of OpenId would be a relief.