[Discuss] single sign-on

Tom Metro tmetro+blu at gmail.com
Sat Jul 27 03:24:07 EDT 2013


Kent Borg wrote:
> Even more important because the fact that people are already logged into
> their gmail accounts means they are logged into all their Google stuff,
> and that is becoming a major contender for a single sign-on system.

Yes. I advocate using multiple Google accounts to isolate services, but
Android certainly makes that difficult. One day the "throw away" login
you used for unimportant email turns into a login that can now be used
to purchase apps, movies, and who knows what else.


>> LastPass is probably the best option for that audience.
> 
> Oh, jeeze, were I a cyber crook I would *so* hope that Lastpass would
> become really successful, because then I really could get my spyware to
> start stealing some good stuff. ...get millions of people
> trusting Lastpass and standardizing on it as their
> all-eggs-in-one-basket solution...

That's a consideration, but for now you can also apply the philosophy
that you don't need to be able to outrun the bear, you only need to be
faster than the other guy also trying to outrun the bear.

The default behavior around password hygiene is so poor that anyone
using LastPass ends up being a hardened target compared to the vast masses.


> So.  How cautious should I be?  Am I willing to deal with some
> cumbersome effort when I need my Hertz rent-a-car account password?
> Well, if it means I might not have my life really really badly mangled
> by a raiding of my password basket?  You bet I think it is worth it.
>
> -kb, the Kent who feels like a crank running around telling everyone
> they should be frightened.

We should all strive to crank up the inconvenience factor on password
management until we hit our own discomfort threshold or the point of
diminishing returns.

For most users, they could improve their situation with minimal change
in inconvenience, just by being made aware of better options and techniques.

LastPass or paper is a reasonable solution for certain audiences.


> The price of managing a manual air-gap for one's cyber security
> doesn't seem unreasonable...

So I'm wondering whether your "air-gap" (manually transcribing passwords
from another device) has necessitated generating passwords that are less
error prone to human reproduction? For example, minimizing the use of
symbols, avoiding characters like "i" and "L" that easily get confused
with other letters and numbers, and grouping characters into small
clusters separated by spaces? (Google's randomly generated application
passwords follow some of these rules.)

If so, you've reduced entropy, which you'll have to make up for with
increased length, which for many sites may not be possible.

Probably of little practical consequence, but something I'd expect
someone using an "air-gap" to be concerned about.

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/



More information about the Discuss mailing list