Cloudy crypto firm Ping Identity is pushing the benefits of using cloud-based technologies to reduce, and perhaps even eliminate, password headaches. The firm is using the Infosec show to promote Ping One, launched in late March as a way of offering ID-as-a-service. Ping Identity is also talking up the potential for single sign- …
Passwords aren't the problem..
it's usernames. "Most people" already have a single password for everything and how is this any different? Give me a system that remembers all my sodding usernames - that has use.
Single-sign-on. Pah. Not even online banking operates this way - with good reason.
Re: Passwords aren't the problem..
You're trolling, right?
Because, if you seriously want a system that remembers all your usernames with the assumption that the same password works with *all* of them...well, Christ, for your sake I hope you don't ever sign up for an account on a message board whose admins don't keep the vBulletin/PhpBB/whatever implementation up to date (or don't follow good practice re: salting the password hash database). Because if you do, and it's compromised, well, that's everything from your email account & social network gubbins through online-shopping all the way to personal (or even worse professional) sites/systems under someone else's control.
I'm wary of any "single solution for all authentication needs", but I'm also wary of using one password for everything because it's so eminently a silly idea.
I mean, yes, keeping track of usernames is a ballache as well, but someone finding out your login for a service is far less dangerous than finding out your password...
Reality says he's not.
Techies know of "best practice" and all that. Most other people might have heard of it but are mostly annoyed at being forced to remember, then change and re-remember every so often, a fsckton of passwords. So they use only one. Easy does it.
Usernames, though, you often don't get to choose, or are already taken, or whatever. So you end up with many different ones.
Personally I keep a list of places/usernames/passwords, and it's no coincidence there exist various tools to store them for you. If we're going cloud, could keep that list in a cloud-y workspace and access it from everywhere. Whether that's a good idea, well, if it isn't the cloud itself isn't much good for end-users, is it? Recall we're talking "cloud. cloud! CLOUD!" here.
This company may or may not have a useful idea, but it's again entirely focused on corporate use, and they tend to use a simplistic model of "ID" that doesn't scale outside of your single employer. facebook does much the same and as such is also a needless privacy destroyer. Wish these peeps would come up with something truly better, that is something that does auth without insisting on tacking you to some globally fixed identity. Bit of a missed chance. But again, they're corporates, and to them humans are but a resource.
I for me will likely stick to password lists and ssh keys and such for the time being, simply because I neither need nor want various services and thus organisations to know me by some fixed identity that is invariant without cause. The re-use of an identity should be up to me, not some other service.
Re: Reality says he's not.
Well, yeah, but the same "easy does approach" says "Why bother having your water well, food store and toilet in three different places? Keep 'em all in the same place and you'll cut down on inconvenient/pointless journeys".
The fact that it's easy to do doesn't render it a good idea.
Which is my point about using the exact same password for every site or service. Even saving it in a browser or password manager is a bad idea - what happens if someone nicks your laptop and spends 15 seconds booting up NTPasswd to blank your Windows password, for example?
I agree wholeheartedly that identity management systems and services are all a bit rubbish in one way or another. The thing is, it's entirely possible that a service that is useful in a corporate environment is predicated on principles that make it worse than useless for personal use. You make do with what tools you have available at the time. There's nothing new here.
I know we're talking about a cloudy sales pitch here, but a centralised access point is also a centralised point of failure, and if they want me (or anyone else) to trust them with the credentials that equate to my identity in so far as work-related information services are concerned, then they're going to have to work very %^&*ing hard to prove to me that their systems are sufficiently bulletproof to resist the presumably large number of folks who will be interested in gaining unauthorised access to them.
So, I've got one set of security researchers telling me to use different passwords everywhere, and another saying we should have one central repository for authentication with some wierd scheme that involves bouncing text messages about. I must log in to different unix boxen 50+ times a day - how's this going to help?
If there's nothing for the user to remember then surely a biometric test must be a part of the sign-on process? Not just a 'maybe'.
It might be OK for a business/org that operates a closed environment, where trust can be greater, but otherwise I'd prefer an approach that minimises the consequences of an individual security breach - and SSO without biometrics or passwords isn't it.
Managing User Accounts
Do I really want to rely on a 3rd party to log on to my business applications which are hosted by yet another third party? How do I know Ping are secure enough? How do they deal with security breaches?
'Cloud madness' has most certianly arrived now.
Re: Managing User Accounts
Yeah, it's a funny thing but the current issue of 2600 has a letter from someone describing their experience of discovering a fairly serious zero-day vuln in a service that, if it isn't Ping, certainly has a lot in common with it. Needless to say, it's less reassuring than Ping's marketing folks would like...
You don't hand over the keys to the family car without making damn sure that the driver to whom you're giving them is a competent driver rather than, say, a drunk canine wearing a Groucho Marx mask. Personally, I believe that Ping (and any other company like them) are in fact drunk dogs dressed up as Groucho Marx until proven otherwise...
Re: Managing User Accounts
I like the drunk metaphore so much I'm going to have a pint!
I don't work in corporate IT, so be gentle...
How is this corporate SSO problem any different from private citizens who have mostly one identity (e-mail address) and a bunch of accounts with (hopefully) different passwords?
Browsers/keychains remember the passwords, if that breaks you click the "forgot password" link and re-establish your credentials through e-mailed links etc.
Encrypt the hard drive, enforce strong password on the OS, bob's your uncle, no?
No. They slip an MBR trojan onto the hard drive while it's in decrypted operation so as to hijack the boot process and gain access to the encrypted drive's contents (that's how Stoned gets around TrueCrypt's techniques).
Once you can get to a prompt, password-erasing tools like NTpassword can remove that barrier to entry, and now Mallory is in Bob's machine...able to sniff out the browser credentials and so on.
So back to square one. How do you prove identity without some form of identity that can be abused elsewhere? And how to you keep track of numerous protected sites with a bad memory and (for security reasons) no ability to store the login credentials?
"Use cloud security" says cloud security vendor.
"He hinted it was a high-security organisation but didn't say what it was, which market it operated in, or even whether it was in the private or public sector."
Black Mesa Research?
"Yeah .. High Security! That's why we leave armed missiles lying around for everyone to check out. It's part of the tour!!"
Just wait till Cave Johnson hears about it!
In place of passwords...
...he recommends a combination of 4-digit PINs and irrevocable biometrics.
Mmmm. This could be fun. Popcorn ... check. Comfy chair ... check.
Single sign on is no more secure than a set of random passwords stored in a keychain available on the Net.
If they hack one of the services you're using they'll only have access to your things in it and there'll be no way to infer your other passwords.
If they hack the SSO company they'll have access to all of your services (similar to them hacking your password keychain).
And since keychains are not large most of them fit into public cloud storage services.
So these guys are using FUD advertising to sell their own little Ponzi scheme !
Note that the information they'll extract from it is enough of value by itself. Facebook is waling on water to do the same SSO for you for tree :)
I can just imagine some of those teenage "hacktivists" licking their lips at the potential mayhem that could be had with a DDOS attack against Ping services.
What was that old adage about not putting all one's eggs in one basket?
There is already a service which does this and more
Reference the comment from Ping : " Oberg acknowledged that reduced rather than "single| sign-on was often the end result of deployments because as "soon as you get on app that isn't anticipated" or one that lack SSO hooks, then users have to sign into it separately."...
Netsso.com is a place where users can record their credentials for any webplace they wish and later click to go there from any PC, once they have logged into Netsso. It is a true Web SSO service...I'm not sure...but is it the only one? (In Netsso, users can record different usernames/passwords for any different webplaces, but get to them all by clicking after they login to Netsso...so, only one password/username to remember.)
I think some of you have missed the point...
The whole point of the Ping service if I'm reading this right is that they use standards like SAML and OpenID to prevent them having the need to store your passwords/usernames/IDs... Your username and password are kept in your enterprises current directory like AD and the cloud services have no user account or password for the employees and the PingOne service is like a broker that allows for each cloud app to confirm a users identity using assertions.
Surely this makes it easier for the user as they just need to know their domain credentials and a lot easier for us IT administrators as we just need to maintain accounts in our directory and group membership for which apps we want users to access - this also satisfies my auditors somewhat and prevents a lot of the ballache that they currently give us.
Personally I'll be giving Ping a call to find out a bit more about this service...