Convenience vs Privacy: Single Sign-On and Password Managers
By Cody Shultz and Alec Harris
Remembering passwords is hard. You know that security is important, so you resolve to have a different one for every website, and your passwords are no longer the name of your pet and your kid’s birthday, but a long string of random letters, numbers, and special characters. Then time passes and you forget whatever mnemonic or unique cipher you developed to remember the password in the first place. After several failed attempts, you begrudgingly hit the “Forgot Password” prompt and await the struggle to happen again in the future.
Increasingly websites offer a convenient solution: single sign-on or SSO. Why remember multiple passwords when you can just remember one — typically your Google, Facebook, or Apple logins? There is something to be said about the ease with which you can log onto various websites through a single set of credentials but doing so comes at considerable risk. (Note: While there are some benefits to SSO at the enterprise level, I am addressing the risks associated with the consumer/personal level.)
Data breaches are a regular occurrence these days, and with these breaches comes the risk of your information being exposed. The use of SSO exponentially increases the severity of any breach, since SSO is one key to many doors. This is something several industry experts have recognized.
“The inherent risks aren’t just hypothetical. In September 2018, Facebook disclosed a massive data breach that impacted at least 50 million of its users and, among other things, exposed any other account those people logged into using Facebook SSO.”[1]
“One username and password combination for not only your … account, but your bank, health provider, car/home insurer, etc., means hackers only have to break the code once to gain access to … well, pretty much everything.”[2]
The risks are not just limited to breaches of data, but also the sharing of data, as Ionos.com points out:
Facebook has also passed on data to these services that was actually intended exclusively for the social media platform. This includes public data such as the name and profile picture, but it also has passed on non-public data such as a person’s age, place of residence, and relationship status. Although Facebook communicates its data forwarding policy as transparently as possible, in order to use certain services, users often have no choice but to agree to this data exchange. Facebook also receives data from the linked services. With these, the platform can further supplement its user profiles and place even more targeted, personalized advertising.[3]
If remembering passwords is such a pain, creating strong passwords perhaps even worse, what is the best way to address the problem? Password managers. First, let’s clarify what password managers are not: that prompt in your web browser that says, “Would you like to save your password for this website?” Don’t do that. Disable the prompt if you can.
Password managers are programs and/or websites that centralize your ability to keep track of, create, and update your passwords. They typically offer password generators, allowing you to quickly generate random strong passwords meeting a variety of criteria such as use of special characters, password length, and if the password should be pronounceable. The password manager will also keep track of what passwords go to what website, and its only requirement from you, is to remember a single (strong!) password to logon to the application. Your master password for your password manager is critical. Make sure it is long, complex, and not something you have used anywhere before, or even similar to anything you’ve used before.
“‘Yes. Password managers are a good thing,’ says ‘Emma W.’ — potentially not her real name — at the U.K.’s National Cyber Security Center, which is part of intelligence agency GCHQ… One caveat, of course, is that users have to remember their master password. ‘If you forget the master password for your password manager, you will not be able to get back in,’ she says. ‘You will have to try and access all your accounts individually, or recreate/reset them from scratch. This will hurt.’”[4]
There are several good options, listed alphabetically below, and in many instances, they offer fully functional programs for free. There are also more premium versions available for a modest monthly or annual fee that offer a variety of quality-of-life features. You can also get reminders to change your password every few months as well. Considering that your password manager is the literal keys to the kingdom, it’s probably worth the small fee to pay for premium services.
· 1Password
· Bitwarden
· Dashlane
· KeePass
· LastPass
If you don’t already have a password manager, get one today. Then spend the afternoon going back through all your most frequently used websites, disabling any SSO, and creating new, strong passwords. At a minimum, enable two-factor authentication for your password manager master login, and for as many other sites as possible. Ideally you should use a U2F/FIDO2[5] compliant hardware token like a Yubikey.
Ensure there is a disaster recovery plan in place for your password manager. If you are incapacitated or die unexpectedly, legitimate access to your accounts should be simple for your dependents. Many of the premium options of password managers offer such an option.
It’s okay to have a Google or Facebook account — just don’t use it for everything.
[1] https://www.wired.com/story/single-sign-on-facebook-google-apple/
[2] https://www.infosecurity-magazine.com/opinions/password-single-sign-bad/
[3] https://www.ionos.com/digitalguide/server/tools/single-sign-on/
[4] https://www.bankinfosecurity.com/blogs/experts-view-avoid-social-networks-single-sign-on-p-2670
[5] https://www.yubico.com/authentication-standards/fido-u2f/
